CISA added CVE-2026-48282, a path traversal vulnerability in Adobe ColdFusion, to its Known Exploited Vulnerabilities catalog on July 7, 2026, confirming the flaw is being exploited in the wild. The bug affects ColdFusion 2025.9, 2023.20, and earlier versions, and allows a remote, unauthenticated attacker to achieve arbitrary code execution through a low-complexity attack chain.
Under Binding Operational Directive 26-04, federal civilian agencies were required to apply patches or documented mitigations by July 10, 2026 — a three-day remediation window that reflects how CISA is treating the severity and active-exploitation status of the flaw.
Path traversal vulnerabilities in web application platforms are a recurring entry point for attackers because they often lead directly to arbitrary file read or write, which in turn enables code execution. ColdFusion in particular has a long history of being targeted this way, and public disclosure combined with a KEV listing tends to accelerate mass scanning within days.
If ColdFusion is part of your environment, apply Adobe’s patch immediately and don’t treat “internal only” as a mitigation on its own — verify that. In the meantime, restrict external access to ColdFusion servers where you can, and review web server and application logs for unusual file access patterns, unexpected file uploads, or execution of unfamiliar processes during the window before you patched.