HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48313Published Modified CNA adobe

CVE-2026-48313: ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Adobe ColdFusion versions 2025.9, 2023.20, and earlier allows an unauthenticated remote attacker to read arbitrary files and perform limited writes on the host file system. The flaw is reachable directly over the network with no credentials or victim interaction required, and the changed scope means impact can extend beyond the ColdFusion process itself to other components on the same host. Successful exploitation gives an attacker access to sensitive files outside the web root and limited ability to modify file system content. HarborGuard is tracking the advisory for patch availability, as no fix version has been published by Adobe.

HarborGuard Coverage

Detection

Detection of CVE-2026-48313 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built ColdFusion-based images, across all connected registries and CI/CD pipelines. Any image running an affected ColdFusion release (2025.9, 2023.20, or earlier) is flagged automatically on each scan cycle.

Available
Triage

Triage is available with the full CVSS v3.1 score of 9.3 (Critical), weighted further against each customer organization's compliance policy to determine urgency and routing priority. Findings are routed to the appropriate team inbox within each customer org based on configured ownership and policy rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment Adobe ships a remediated release. In the interim, compensating controls such as network policy isolation and egress filtering can be applied through HarborGuard's policy engine where customer compliance policy permits.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ColdFusion service over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No credentials of any privilege level are required to trigger the path traversal.

  • Victim interactionNot required

    Exploitation is fully server-side and does not depend on any action by a user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or knowledge of memory layout.

Blast Radius

  • An attacker reads arbitrary files on the ColdFusion host, including configuration files, credential stores, private keys, and application source code outside the web root.
  • The changed scope means sensitive files belonging to the operating system or co-located services, not just ColdFusion itself, are within reach.
  • Limited file system write access allows an attacker to plant or modify files, which can serve as a stepping stone toward persistence or code execution depending on file permissions.
  • Exposure of credentials or session material found in configuration files enables follow-on attacks against connected databases, directories, or internal services.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against all customer images on every scan cycle, so any environment running an affected ColdFusion version is identified without delay. Because Adobe has not yet published a fix, no patched-image rebuild is available; HarborGuard will generate and surface that rebuild automatically the moment an upstream fix is released. While awaiting a patch, customers can apply compensating controls through HarborGuard's policy engine: isolating affected containers with restrictive network policies to limit inbound reach, applying egress filtering to reduce attacker-controlled outbound calls, and gating any optional ColdFusion features that expand file system exposure. Where compliance policy permits auto-remediation, a rebuild and regression run will be triggered and a PR opened against affected workloads as soon as a fix version is published upstream.

See how HarborGuard automates this
Affected packages
  • Adobe / ColdFusion
    ≤ 2023.20
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
References