Multiple vulnerabilities in Adobe ColdFusion (July 1, 2026)
Multiple vulnerabilities have been discovered in Adobe ColdFusion. Some of them allow an attacker to cause remote arbitrary code execution, privilege escalation, and data confidentiality breaches.
CSIRTS triage
- What
- Multiple vulnerabilities in Adobe ColdFusion can lead to remote code execution, privilege escalation, and data breaches.
- Who is affected
- Deployments of Adobe ColdFusion are affected.
- Urgency
- Remediation is critical due to the potential for severe exploitation.
- Action
- Upgrade to the latest version of Adobe ColdFusion to mitigate these vulnerabilities.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch ColdFusion
Get an email when a new ColdFusion advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0821/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-483070.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
- Low exploitation riskCVE-2026-482810.85% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 54% of all scored CVEs.
- Low exploitation riskCVE-2026-483150.55% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 42% of all scored CVEs.
- Low exploitation riskCVE-2026-482830.63% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 46% of all scored CVEs.
- Low exploitation riskCVE-2026-482760.92% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 56% of all scored CVEs.
- Elevated exploitation riskCVE-2026-4828228.6% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 98% of all scored CVEs.
- Low exploitation riskCVE-2026-483140.33% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 25% of all scored CVEs.
- Moderate exploitation riskCVE-2026-483161.4% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 69% of all scored CVEs.
- Moderate exploitation riskCVE-2026-483131.6% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 73% of all scored CVEs.
- Low exploitation riskCVE-2026-482850.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-48307 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48281 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48315 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48283 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48276 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48282 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48314 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48316 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48313 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48285 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48277 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedAdobe security advisory (AV26-647) – Update 2cccs
- highexploitedCISA Adds One Known Exploited Vulnerability to Catalogcisa
- critical[UPDATE] [critical] Adobe ColdFusion: Multiple Vulnerabilitiescert-bund
- criticalexploitedCVE-2026-48282: Adobe ColdFusion Path Traversal Vulnerabilitycisa-kev
- criticalCVE-2026-48316: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation v…nvd
- unknownNCSC-2026-0217 [1.00] [M/H] Vulnerabilities fixed in Adobe ColdFusionncsc-nl
- criticalCVE-2026-48315: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation v…nvd
- mediumCVE-2026-48314: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pa…nvd
- criticalCVE-2026-48313: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pa…nvd
- highCVE-2026-48307: ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripti…nvd
- highCVE-2026-48285: ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery …nvd
- criticalCVE-2026-48283: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File…nvd
Recent advisories for Adobe ColdFusion
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- critical[UPDATE] [critical] Adobe ColdFusion: Multiple Vulnerabilitiescert-bund · 2026-07-07
- criticalexploitedCVE-2026-48282: Adobe ColdFusion Path Traversal Vulnerabilitycisa-kev · 2026-07-07
- unknownNCSC-2026-0217 [1.00] [M/H] Vulnerabilities fixed in Adobe ColdFusionncsc-nl · 2026-07-01
- criticalexploitedCVE-2017-3066: Adobe ColdFusion Deserialization Vulnerabilitycisa-kev · 2025-02-24
- criticalexploitedCVE-2024-20767: Adobe ColdFusion Improper Access Control Vulnerabilitycisa-kev · 2024-12-16
- criticalexploitedCVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Vulnerabilitycisa-kev · 2024-01-08
More from CERT-FR Avis de sécurité
- unknownMultiple vulnerabilities in Red Hat Linux kernel (July 10, 2026)2026-07-10
- unknownMultiple vulnerabilities in Ubuntu Linux kernel (July 10, 2026)2026-07-10
- unknownMultiple vulnerabilities in Progress MOVEit Transfer (July 10, 2026)2026-07-10
- unknownVulnerability in NetApp ONTAP 9 (July 10, 2026)2026-07-10
- unknownVulnerability in CPython (July 10, 2026)2026-07-10