Critical Adobe ColdFusion Vulnerability Exploited in Attacks (CVE-2026-48282)
Key Facts
- However, according to the vulnerability intelligence platform KEVIntel, hackers began exploiting CVE-2026-48282 within two hours of its public disclosure.
- According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented.
- Shortly after, the Canadian Centre for Cyber Security also warned that the CVE has been exploited in attacks, based on open source reporting.
- Threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating.
- Tracked as CVE-2026-48282 (CVSS score of 10/10), the security defect is described as a path traversal that could lead to arbitrary code execution.
- It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution.
- Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them.
- Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation.
- However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws.
- “KEVIntel captured in-the-wild exploitation within our global honeypot network,” KEVIntel founder Ryan Dewhurst said.
However, according to the vulnerability intelligence platform KEVIntel, hackers began exploiting CVE-2026-48282 within two hours of its public disclosure. The issue is tracked as CVE-2026-48282. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented.
The Vulnerability
Shortly after, the Canadian Centre for Cyber Security also warned that the CVE has been exploited in attacks, based on open source reporting.
Further details indicate that threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating.
Tracked as CVE-2026-48282 (CVSS score of 10/10), the security defect is described as a path traversal that could lead to arbitrary code execution.
It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution.
Technical Details
CVEs:
From a technical standpoint, the vulnerability presents several concerns:
Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them.
Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation.
“KEVIntel captured in-the-wild exploitation within our global honeypot network,” KEVIntel founder Ryan Dewhurst said.
Risk & Exposure
However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented. As the window between disclosure and exploitation continues to shrink, organizations will increasingly compete on the speed and quality of their security decisions,” Sharma added.
However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws.
Patching & Remediation
-
Threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating.
-
It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution.
-
Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them.
-
However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws.
-
Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation.
-
SecurityWeek has emailed the company for a statement and will update this article if it responds.
Analysis
This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.
Sources
Sources & References
- CVE-2026-48282 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-48282
- CVE-2026-48282 — Adobe advisory. https://helpx.adobe.com/security/cve-2026-48282.html
- CVE-2026-48282 — National Vulnerability Database
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
CISA Warns of Oracle PeopleSoft 0-Day Vulnerability Exploited in Ransomware Attacks (CVE-2026-35273)
Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of a critical vulnerability in Oracle...
Vulnerabilities & ExploitsCritical Gitea Flaw Under Active Exploitation, Researchers Warn Vulnerability (CVE-2026-20896)
Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with...
Vulnerabilities & ExploitsCisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild Vulnerability
Cisco Unified Communications Manager has a serious vulnerability, tracked as CVE-2026-20230 (CVSS score of 8.6), that attackers are already exploiting. The...
Vulnerabilities & ExploitsHitachi Energy e-mesh EMS Vulnerability (CVE-2026-42945)
The following versions of Hitachi Energy e-mesh EMS are affected: - Hitachi Energy e-mesh EMS 4.1.6, 4.4.2, 4.7.0 Background - Critical Infrastructure...