A critical vulnerability, designated CVE-2026-48282, in Adobe ColdFusion allows for arbitrary code execution without user interaction. This flaw exploits a path traversal issue, enabling attackers to gain full control of affected servers remotely. The vulnerability affects ColdFusion 2025 Update 9 and earlier, as well as ColdFusion 2023 Update 20 and earlier versions. Emergency patches have been released by Adobe and must be applied immediately to prevent exploitation. The Canadian Centre for Cyber Security has warned of ongoing active attacks, which began shortly after the public disclosure of the vulnerability.
Active ColdFusion Arbitrary Code Execution Flaw Scores CVSS 10
CyberSIXT Evidence Panel
Article by CyberSIXT
Timeline Coverage
Swipe to explore timeline
-
Active ColdFusion Arbitrary Code Execution Flaw Scores CVSS 10
securityonline.info
-
Adobe Fixes ColdFusion, Campaign Classic Bugs Rated CVSS 10.0
cybersixt.com
-
Adobe fixes ColdFusion Campaign Classic bugs, urges patch
cybersixt.com
-
Adobe patches ColdFusion flaws to block arbitrary code execution
cybersixt.com