Critical Path Traversal Vulnerability in Adobe ColdFusion (CVE-2026-48282)
A critical improper limitation of a pathname to a restricted directory vulnerability (path traversal) has been identified in Adobe ColdFusion versions 2025.9, 2023.20, and earlier. This flaw (CVE-2026-48282) allows attackers to bypass directory restrictions and execute arbitrary code in the context of the current user. Exploitation does not require user interaction, enabling remote attackers to potentially compromise affected systems. The vulnerability affects the ColdFusion platform, with a CVSS score of 10.0 reflecting its high severity. All deployments of the listed versions are at risk. Immediate application of vendor-provided security patches is strongly recommended to prevent exploitation. Failure to remediate could result in full system compromise, data exfiltration, or lateral movement within networks. Adobe has released updates addressing this issue; administrators should prioritize upgrading to versions post-2025.9 or post-2023.20 as applicable. Systems exposed to untrusted networks are considered highest risk and should be isolated until patched.