GHSA-jfrp-7pp5-772c · Severity: critical — ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a...
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Conclusion & alert: CVE-2026-48282 is rated Critical Active Threat (100/100): CVSS Critical severity, with high exploitation likelihood (EPSS 28.58%, 98th percentile). Core evidence: CISA KEV confirms active exploitation (added 2026-07-07) affecting Adobe / ColdFusion. a weakness (CWE-22) Unauthenticated remote administrative access may be possible. EPSS rose +25.38% over the last day, indicating growing attacker interest. Mandatory action: Federal remediation is required by 2026-07-10 (CISA ED 26-03); assess exposure and apply mitigations immediately.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Adobe ColdFusion Path Traversal Vulnerability · CISA KEV detail
: 2026-07-07
: 2026-07-10
: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-09 | 3.20% | 28.58% | +25.38% |
| 2 | 2026-07-08 | 1.02% | 3.20% | +2.18% |
| 3 | 2026-07-01 | — | 1.02% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 6.0 | [email protected] |
GHSA-jfrp-7pp5-772c · Severity: critical — ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update19:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update20:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update6:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update7:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update8:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update9:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48282 | US Government Resource |