• Category: Security
  • Status: confirmed
  • Sources: Adobe APSB26-68, NVD, CISA KEV, watchTowr analysis
  • Summary: CVE-2026-48282 is a CVSS 10.0 path traversal in the ColdFusion Remote Development Services FILEIO handler that can reach arbitrary code execution. Adobe patched it in the APSB26-68 bulletin on 2026-06-30 with ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Reaching code execution requires RDS enabled with its authentication disabled, which is not the default configuration. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-07-07 on confirmed active exploitation. Reporting states exploitation began within about two hours of public disclosure.
  • Why it matters: Internet-exposed ColdFusion with RDS left on and unauthenticated is a direct remote-code-execution target, and patched builds are already available.

Send feedback on this story