CISA adds Adobe ColdFusion CVE-2026-48282 to KEV with a July 10 patch deadline
CISA has marked Adobe ColdFusion CVE-2026-48282 as actively exploited, giving U.S. federal civilian agencies until July 10, 2026, to apply vendor mitigations.
CISA has added Adobe ColdFusion CVE-2026-48282 to its Known Exploited Vulnerabilities catalog. Confidence level: confirmed. NVD lists the flaw as a CVSS 10.0 ColdFusion path traversal issue, and the KEV entry gives U.S. federal civilian agencies a July 10, 2026 deadline to apply vendor mitigations.

Image source: Help Net Security.
What changed
CVE-2026-48282 affects Adobe ColdFusion 2025.9, ColdFusion 2023.20, and earlier versions. NVD describes it as a path traversal vulnerability that can lead to arbitrary code execution in the context of the current user and does not require user interaction.
CISA's KEV data marks exploitation as active and sets July 10, 2026 as the federal remediation deadline. Adobe's linked vendor bulletin is the patch source to verify fixed versions and installation steps before touching production systems.
Key takeaways
- CVE-2026-48282 is listed by NVD with a CVSS 3.1 base score of 10.0.
- The issue affects ColdFusion 2025.9, ColdFusion 2023.20, and earlier releases.
- CISA added the flaw to KEV on July 7, 2026, based on active exploitation.
- The federal due date shown in the KEV data is July 10, 2026.
- Internet-facing ColdFusion servers should be patched, checked for RDS exposure, and reviewed for compromise indicators.
| Check | What to do | Why it matters |
|---|---|---|
| Version | Confirm whether ColdFusion is at or below 2025.9 or 2023.20 | Those versions are listed as affected |
| Exposure | Identify internet-facing ColdFusion services | Exploited edge systems carry the highest operational risk |
| RDS | Check whether Remote Development Services is enabled and how it is protected | Independent reporting ties exploitation conditions to RDS exposure |
| Patch | Apply Adobe's fixed update path | CISA points agencies to vendor mitigations |
| Hunt | Review web roots, /CFIDE/, new files, and unusual requests | Exploitation may involve file write or execution paths |
Availability and access
This is a patch-and-triage item, not a product rollout. Admins should use Adobe's bulletin for the official update path, then confirm the installed ColdFusion build and restart requirements in their own environment.
U.S. federal civilian executive branch agencies have a KEV deadline of July 10, 2026. Private-sector teams are not bound by that directive, but KEV status is a strong prioritization signal because it means CISA has evidence of active exploitation.
Why it matters
ColdFusion remains present in enterprise web stacks, often behind old admin paths, internal applications, and exposed legacy services. A CVSS 10.0 vulnerability with active exploitation does not belong in a normal monthly patch queue.
For LinkLoot readers running mixed infrastructure, the practical move is simple: turn the KEV entry into a short incident task. Find ColdFusion, confirm version, patch or isolate, check RDS, review logs, and document whether the server was reachable from the internet. Teams that automate this kind of follow-up can adapt the checks in our AI workflow automation guide for ticket creation and evidence collection.
What to verify before you act
- Confirm the affected ColdFusion version and exact Adobe fixed update for your branch.
- Check whether the system exposes ColdFusion or
/CFIDE/paths to the internet. - Verify whether RDS is enabled, whether authentication protects it, and whether it is needed.
- Review logs and filesystem changes from June 30, 2026 onward.
- Recheck CISA KEV and Adobe's bulletin for updates before closing the incident.
Source check
Confirmed by:
- NVD lists CVE-2026-48282, Adobe as source, affected ColdFusion versions, CVSS 10.0, and the CISA KEV relationship.
- CISA's KEV reference in NVD shows active exploitation and a July 10, 2026 due date.
- Adobe's bulletin is the vendor advisory linked from NVD for mitigation details.
Independent context:
- Help Net Security reports exploitation activity, summarizes the ColdFusion RDS angle, and notes that admins should upgrade to the fixed ColdFusion 2025 and 2023 updates.
CVE-2026-48282 is an Adobe ColdFusion path traversal vulnerability that NVD says can lead to arbitrary code execution without user interaction.
