Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-48282

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

View on NVD

Analysis

Adobe ColdFusion presenta una vulnerabilidad crítica de Path Traversal que permite la ejecución de código arbitrario sin necesidad de interacción del usuario. Al alcanzar un puntaje de 10.0, este fallo permite a un atacante tomar control total del servidor afectado en el contexto del servicio actual. Es imperativo actualizar las instancias de ColdFusion inmediatamente para proteger la infraestructura del backend.

Relevant roles

BackendCyberSecurityJavaLinuxWindowsCloud

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-22

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Published: 6/30/2026, 4:16:54 PM
Last modified: 6/30/2026, 4:16:54 PM

References

HomeEventsBlogResourcesTeam