Breaking: Adobe ColdFusion Under Active Exploitation — Six CVSS 10.0 Flaws — 10 July 2026
Adobe ColdFusion Under Active Exploitation — Six CVSS 10.0 Flaws, Patch Now
Adobe has confirmed active exploitation of ColdFusion vulnerabilities in limited attacks, prompting CISA to add CVE-2026-48282 to the Known Exploited Vulnerabilities catalog with a remediation deadline of today, 10 July 2026. The full bulletin (APSB26-68) is far worse than the single KEV entry suggests: it patches six CVSS 10.0 vulnerabilities, all enabling unauthenticated remote code execution from the network.
The Vulnerabilities
APSB26-68 addresses 10 vulnerabilities across ColdFusion 2025 and 2023. Six carry a CVSS 3.1 base score of 10.0, the maximum possible rating. All six allow an unauthenticated, remote attacker to achieve arbitrary code execution with no user interaction:
- CVE-2026-48276 — Unrestricted file upload (CWE-434), CVSS 10.0. Remote code execution. - CVE-2026-48277 — Improper input validation (CWE-20), CVSS 10.0. Remote code execution. - CVE-2026-48281 — Improper input validation (CWE-20), CVSS 10.0. Remote code execution. - CVE-2026-48316 — Improper input validation (CWE-20), CVSS 10.0. Remote code execution (availability impact only, not confidentiality/integrity). - CVE-2026-48282 — Path traversal (CWE-22), CVSS 10.0. Remote code execution. Confirmed exploited in the wild. - CVE-2026-48283 — Unrestricted file upload (CWE-434), CVSS 10.0. Remote code execution.
Three further critical-severity issues include a reflected XSS leading to code execution (CVE-2026-48307, CVSS 8.8), an SSRF enabling security feature bypass (CVE-2026-48285, CVSS 8.6), and a path traversal enabling privilege escalation (CVE-2026-48313, CVSS 9.3). An important-severity path traversal rounds out the bulletin.
Active Exploitation
Adobe states CVE-2026-48282 "has been exploited in the wild in limited attacks targeting Adobe ColdFusion." The pattern is consistent with prior ColdFusion exploitation campaigns: path traversal to achieve code execution on internet-facing instances. Given the cluster of six maximum-severity CVEs in the same release, adversaries will likely develop exploits for the additional flaws rapidly.
CISA KEV Status
CVE-2026-48282 was added to the CISA Known Exploited Vulnerabilities catalog on 7 July 2026 with a remediation deadline of 10 July 2026 — today. Federal agencies must comply under BOD 26-04. Private-sector organisations should treat this as equally urgent.
So What / Action
If you run Adobe ColdFusion, treat this as an emergency patch. The combination of six CVSS 10.0 flaws with confirmed wild exploitation demands same-day action. Patch to ColdFusion 2025 (build 2023.0.0.331385) or ColdFusion 2023 (build 2023.0.0.330468) immediately. On JEE deployments, ensure the JVM serial filter flag is set as documented in APSB26-68. If patching is not possible today, isolate ColdFusion servers from internet exposure until the patch can be applied. ColdFusion's persistent targeting history means delay is not a safe option.

