CISA KEV Alert 7/7/2026, 7:21:19 PM

CISA Adds Critical Adobe ColdFusion Flaw CVE-2026-48282 to KEV

CyberSIXT Evidence Panel Source marked as original reporting
Primary Source cisa.gov
CISA KEV Listed in KEV
Patch Patch Available

CISA has added CVE‑2026-48282 to its Known Exploited Vulnerabilities catalogue. The entry concerns Adobe ColdFusion and involves the Adobe ColdFusion Path Traversal Vulnerability, which could allow arbitrary code execution in the context of the current user.

The vulnerability is a path traversal flaw that can be exploited remotely to execute arbitrary code. It carries a CVSS v3.1 base score of 10.0, rating it as critical. Adobe has released a patch addressing the issue, and the advisory is available via the vendor’s security bulletin.

Active exploitation has been confirmed, which is why the CVE appears in the KEV catalogue. No known ransomware campaign has been linked to this flaw at present. CISA has set a remediation deadline of 10 July 2026 for federal agencies to apply the necessary mitigations.

CISA’s required action is: “Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.

Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.” This directive binds Federal Civilian Executive Bureau (FCEB) agencies; all other organisations should review their exposure and apply the patch or mitigations as soon as practicable.

For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48282 and the CISA KEV catalogue.

View CISA KEV Entry

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline