This text was generated using artificial intelligence (AI).Update July 8, 2026: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48282 to its Known Exploited Vulnerabilities Catalog and is warning of active exploitation on the web. See below for details.
On June 30, 2026, Adobe published, as part of its security bulletin, APSB26-68 Details on several critical vulnerabilities in Adobe ColdFusion. The one known as CVE-2026-48316 and CVE-2026-48282 Each classified vulnerability was assigned the maximum severity level of CVSS 10.0 These vulnerabilities allow attackers to execute arbitrary code (Remote Code Execution, RCE) on affected servers without requiring authentication or user interaction.
Bulletin APSB26-68 covers a total of 11 CVEs, 6 of which have a maximum CVSS score of 10.0. For complete patch prioritization, we recommend reading the Adobe Security Bulletins APSB26-68.
The Facts at a Glance:
CVE IDs: CVE-2026-48316, CVE-2026-48282
Severity: CVSS 10.0 (Critical)
Affected software: Adobe ColdFusion 2023 (Update 20 and earlier), 2025 (Update 9 and earlier)
Patch: Available in ColdFusion 2023 Update 21 and 2025 Update 10
Active Exploitation: According to CISA, CVE-2026-48282 is being actively exploited
Recommendation: Installation of Priority 1 updates (within 72 hours for vulnerable systems)
Technical Analysis: CVE-2026-48316
The cause of CVE-2026-48316 is insufficient input validation (CWE-20: Improper Input Validation) in a core component of Adobe ColdFusion. An attacker can send a specially crafted request over the network to a vulnerable server and thereby execute code within the security context of the user running the application.
The CVSS score AV:N/AC:L/PR:N/UI:N/S:C illustrates the high risk:
Attack Vector: Network (AV:N): The vulnerability can be exploited remotely over the network.
Attack Complexity: Low (AC:L): No complex prerequisites are necessary for a successful attack.
Privileges Required: None (PR:N): The attacker does not need any login credentials or existing permissions.
User Interaction: None (UI:N): No user action (such as clicking a link) is required.
Scope: Changed (S:C): A successful attack can breach the application's security defenses and potentially allow an attacker to gain control of the underlying system.
As of the patch's release on June 30, 2026, Adobe stated that it had no information regarding any active exploitation of CVE-2026-48316.
CVE-2026-48282 is a path-traversal vulnerability (CWE-22) in Adobe ColdFusion's Remote Development Services (RDS). Even a single specially crafted, unauthenticated HTTP request to an accessible RDS endpoint is sufficient to achieve remote code execution. The vulnerability is rated at the highest severity level CVSS 10.0 rated (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
According to an updated report from The Hacker News (as of July 3, 2026), CVE-2026-48282 has since been actively exploited online. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. This underscores the immediate danger: Attackers have working exploits and are targeting unpatched ColdFusion instances with them.
The combination of maximum severity, ease of exploitation, and confirmed active exploitation makes CVE-2026-48282 one of the most urgent threats to exposed ColdFusion servers.
Affected Systems and Risk Assessment
The security vulnerabilities affect the following versions of the widely used web application platform:
Adobe ColdFusion 2025: Update 9 and all earlier versions
Adobe ColdFusion 2023: Update 20 and all earlier versions
Adobe has classified all of the vulnerabilities mentioned as having the highest priority. A „Priority Rating 1” is a clear recommendation to update systems connected to the Internet within 72 hours. Any publicly accessible and unpatched ColdFusion server poses a significant security risk. The confirmed active exploitation of CVE-2026-48282 further increases the urgency.
Recommended Actions and Patch Information
Companies should take immediate action to protect their systems. The following measures are recommended:
Immediate Measures
Installing patches: Update your instances to the bug-fixed versions provided by Adobe:
Adobe ColdFusion 2025 Update 10
Adobe ColdFusion 2023 Update 21
Prioritization: Identify and prioritize all externally accessible ColdFusion servers for immediate updating. Given that CVE-2026-48282 is actively being exploited, the patches should be installed without delay.
Short-Term Measures
Check dependencies: Make sure that the MySQL Java Connector you are using, as well as the underlying JDK/JRE Long-Term Support version, are up to date.
Harden the configuration: Follow the recommendations in Adobe's official „ColdFusion Security Configuration and Lockdown Guide“ to reduce your attack surface.
Preparing for Incident Response: Check your systems for signs of compromise, especially if they were exposed before the patch was installed.
Long-term measures
Establish a monitoring system: Implement a continuous vulnerability and vendor risk management program so that you can respond to future threats in a structured manner.
Relevance to the DACH Region and the EU
Companies and government agencies in German-speaking countries that use Adobe ColdFusion as part of essential or critical services are subject to the requirements of the NIS-2 Directive affected. Article 21 of NIS-2 requires affected operators to promptly address critical vulnerabilities and implement appropriate technical safeguards. If the exploitation of these vulnerabilities results in a security incident affecting personal data, the Reporting Obligation Under Article 33 of the GDPR: Data controllers must notify the relevant supervisory authority within 72 hours of becoming aware of the incident. Operators of critical infrastructure (KRITIS) should also follow the relevant BSI recommendations for hardening exposed web server components.
The inclusion of CVE-2026-48282 in the CISA KEV Catalog underscores the international significance of this threat. Although CISA is a U.S. agency, the vulnerabilities listed there are regularly exploited by attackers worldwide.
How LocateRisk Helps with Risk Mitigation
Vulnerabilities such as CVE-2026-48316 and CVE-2026-48282 highlight the need to continuously monitor one’s own external attack surface. Often, it is forgotten or undocumented systems (shadow IT) that pose the greatest risk: ColdFusion instances that were once set up for a project, are no longer actively maintained, and are still accessible from the Internet do not appear in any internal inventory—and therefore remain invisible during the manual patching process.
An External Attack Surface Management (EASM) solution such as LocateRisk automatically identifies all of your company's externally accessible IT assets. Services such as Adobe ColdFusion are identified by fingerprinting HTTP headers and specific file paths (e.g.,. /CFIDE/) and other characteristics. This gives IT managers a quick overview of where potentially vulnerable instances are running, allowing them to significantly reduce response times.
In addition, an automated Vendor Risk Management, to assess the security posture of service providers and software vendors that might also use ColdFusion. The LocateRisk platform is operated in certified German data centers and is designed to comply with GDPR requirements. It thus helps companies secure their IT infrastructure in accordance with standards such as the BSI IT-Grundschutz.
Active exploitation of CVE-2026-48282 (The Hacker News, updated July 3, 2026):thehackernews.com
Do you know your external attack surface?
Exposed and unpatched systems are one of the most common causes of successful cyberattacks. LocateRisk provides a continuous overview of your external IT systems and identifies security risks before they become a problem.
This affects Adobe ColdFusion 2025 through Update 9, as well as Adobe ColdFusion 2023 through Update 20. Older, unsupported versions may also be at risk.
Adobe has classified all of the vulnerabilities mentioned as having the highest priority (Priority 1). Administrators of publicly accessible systems should install the update within 72 hours. Given the confirmed active exploitation of CVE-2026-48282, immediate installation without delay is strongly recommended.
Yes. According to CISA, CVE-2026-48282 is being actively exploited on the web and has been added to the Known Exploited Vulnerabilities Catalog. As of the patch’s release on June 30, 2026, there was no information available regarding active exploitation of the second ColdFusion vulnerability, CVE-2026-48316.
CVE Quick Check
In just a few minutes, check whether there are any indications of a current CVE on your externally visible attack surface.
A rough estimate in just a few minutes via email.
Learn more during a free consultation with a LocateRisk consultant.
You'll receive this by email
companyYour Company, LLC
Verified CVECVE-2024-3094
Passive Assessment
Information About the CVENotes found
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.