A CVSS 1o-rated vulnerability in Adobe's web-application development platform ColdFusion is being actively exploited, warns the US's top cyber defence agency.

Shortly after being patched on June 30, CVE-2026-48282 was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalogue on Tuesday July 7.

It ordered government agencies to patch the critical path traversal vulnerability before July 10, warning it could lead to arbitrary code execution through the rapid app development platform.

Path traversal refers to issues with a pathname used to identify a file or directory, which means it can be altered to resolve to a location outside of the parent directory it is supposed to be restricted to.

As a result, attackers with access to the directory can use the bug to access other parts of the system it is part of and potentially modify or create files used to execute code.

See also: Adobe's C-suite exodus continues

Adobe first flagged the vulnerability when it patched it alongside ten other ColdFusion bugs, five of them also given a CVSS 10 rating, in a June 30 update for the 2025 and 2023 versions of the platform. None of the other bugs disclosed in the update have been added to KEV so far.

The Canadian Centre for Cyber Security had already flagged that attackers using CVE-2026-48282 on July 2, two days after its disclosure, citing open source reporting of its exploitation.

Adobe's June 30 advisory had stated it was not aware of any exploitation of the 11 bugs disclosed even after the CCCS's update but has since changed to acknowledge exploitation of CVE-2026-48282 in "limited attacks".

The link has been copied!