CVE Details

CVE-2026-48282 Adobe ColdFusion Path Traversal Vulnerability
Published: 2026-07-07 CVSS: 10 CRITICAL Product: Adobe ColdFusion Due Date: 2026-07-10

Adobe ColdFusion contains a path traversal vulnerability that could lead to arbitrary code execution in the context of the current user.

GitHub PoC

Warning: GitHub PoC repositories are unverified. Some may be fake or contain malware. Use caution and review code before running anything.

FIRST EPSS

EPSS estimates the probability of exploitation in the next 30 days. Higher values indicate higher likelihood of real-world exploitation.

Timeline

CVE Stalker KEV MITRE GitHub FIRST (EPSS)

MITRE

CVSS

  • Score: 10
  • Severity: CRITICAL
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC

  • Exploitation: none
  • Automatable: yes
  • Technical Impact: total

References

Show Raw Data
Key Remaining Key Value
dataType CVE_RECORD
dataVersion 5.2
cveMetadata > cveId CVE-2026-48282
cveMetadata > assignerOrgId 078d4453-3bcd-4900-85e6-15281da43538
cveMetadata > state PUBLISHED
cveMetadata > assignerShortName adobe
cveMetadata > dateReserved 2026-05-21T15:28:38.134Z
cveMetadata > datePublished 2026-06-30T15:11:57.151Z
cveMetadata > dateUpdated 2026-07-01T03:55:49.055Z
containers > cna > affected > 0 > defaultStatus affected
containers > cna > affected > 0 > product ColdFusion
containers > cna > affected > 0 > vendor Adobe
containers > cna > affected > 0 > versions > 0 > lessThanOrEqual 2023.20
containers > cna > affected > 0 > versions > 0 > status affected
containers > cna > affected > 0 > versions > 0 > version 0
containers > cna > affected > 0 > versions > 0 > versionType semver
containers > cna > datePublic 2026-06-30T17:00:00.000Z
containers > cna > descriptions > 0 > lang en
containers > cna > descriptions > 0 > value ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
containers > cna > metrics > 0 > cvssV3_1 > attackComplexity LOW
containers > cna > metrics > 0 > cvssV3_1 > attackVector NETWORK
containers > cna > metrics > 0 > cvssV3_1 > availabilityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > availabilityRequirement NOT_DEFINED
containers > cna > metrics > 0 > cvssV3_1 > baseScore 10
containers > cna > metrics > 0 > cvssV3_1 > baseSeverity CRITICAL
containers > cna > metrics > 0 > cvssV3_1 > confidentialityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > confidentialityRequirement NOT_DEFINED
containers > cna > metrics > 0 > cvssV3_1 > environmentalScore 10
containers > cna > metrics > 0 > cvssV3_1 > environmentalSeverity CRITICAL
containers > cna > metrics > 0 > cvssV3_1 > exploitCodeMaturity NOT_DEFINED
containers > cna > metrics > 0 > cvssV3_1 > integrityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > integrityRequirement NOT_DEFINED
containers > cna > metrics > 0 > cvssV3_1 > modifiedAttackComplexity LOW
containers > cna > metrics > 0 > cvssV3_1 > modifiedAttackVector NETWORK
containers > cna > metrics > 0 > cvssV3_1 > modifiedAvailabilityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > modifiedConfidentialityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > modifiedIntegrityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > modifiedPrivilegesRequired NONE
containers > cna > metrics > 0 > cvssV3_1 > modifiedScope CHANGED
containers > cna > metrics > 0 > cvssV3_1 > modifiedUserInteraction NONE
containers > cna > metrics > 0 > cvssV3_1 > privilegesRequired NONE
containers > cna > metrics > 0 > cvssV3_1 > remediationLevel NOT_DEFINED
containers > cna > metrics > 0 > cvssV3_1 > reportConfidence NOT_DEFINED
containers > cna > metrics > 0 > cvssV3_1 > scope CHANGED
containers > cna > metrics > 0 > cvssV3_1 > temporalScore 10
containers > cna > metrics > 0 > cvssV3_1 > temporalSeverity CRITICAL
containers > cna > metrics > 0 > cvssV3_1 > userInteraction NONE
containers > cna > metrics > 0 > cvssV3_1 > vectorString CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
containers > cna > metrics > 0 > cvssV3_1 > version 3.1
containers > cna > metrics > 0 > format CVSS
containers > cna > metrics > 0 > scenarios > 0 > lang en
containers > cna > metrics > 0 > scenarios > 0 > value GENERAL
containers > cna > problemTypes > 0 > descriptions > 0 > cweId CWE-22
containers > cna > problemTypes > 0 > descriptions > 0 > description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
containers > cna > problemTypes > 0 > descriptions > 0 > lang en
containers > cna > problemTypes > 0 > descriptions > 0 > type CWE
containers > cna > providerMetadata > orgId 078d4453-3bcd-4900-85e6-15281da43538
containers > cna > providerMetadata > shortName adobe
containers > cna > providerMetadata > dateUpdated 2026-06-30T15:11:57.151Z
containers > cna > references > 0 > tags > 0 vendor-advisory
containers > cna > references > 0 > url https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
containers > cna > source > discovery EXTERNAL
containers > cna > title ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
containers > adp > 0 > metrics > 0 > other > type ssvc
containers > adp > 0 > metrics > 0 > other > content > timestamp 2026-06-30T00:00:00+00:00
containers > adp > 0 > metrics > 0 > other > content > options > 0 > Exploitation none
containers > adp > 0 > metrics > 0 > other > content > options > 1 > Automatable yes
containers > adp > 0 > metrics > 0 > other > content > options > 2 > Technical Impact total
containers > adp > 0 > metrics > 0 > other > content > role CISA Coordinator
containers > adp > 0 > metrics > 0 > other > content > version 2.0.3
containers > adp > 0 > metrics > 0 > other > content > id CVE-2026-48282
containers > adp > 0 > title CISA ADP Vulnrichment
containers > adp > 0 > providerMetadata > orgId 134c704f-9b21-4f2e-91b3-4a467353bcc0
containers > adp > 0 > providerMetadata > shortName CISA-ADP
containers > adp > 0 > providerMetadata > dateUpdated 2026-07-01T03:55:49.055Z