[UPDATE] [critical] Adobe ColdFusion: Multiple Vulnerabilities
A remote, anonymous attacker can exploit multiple vulnerabilities in Adobe ColdFusion to execute arbitrary code, gain elevated permissions, bypass security measures, conduct cross-site scripting attacks, manipulate data, or disclose confidential information.
CSIRTS triage
- What
- A remote, anonymous attacker can exploit multiple vulnerabilities in Adobe ColdFusion to execute arbitrary code, gain elevated permissions, bypass security measures, conduct cross-site scripting attacks, manipulate data, or disclose confidential information.
- Who is affected
- Deployments of Adobe ColdFusion are affected.
- Urgency
- Remediation is critical urgency due to the potential for severe exploitation.
- Action
- Apply the latest security updates for Adobe ColdFusion.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch ColdFusion
Get an email when a new ColdFusion advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2155
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-482760.92% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 56% of all scored CVEs.
- Low exploitation riskCVE-2026-482770.85% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 54% of all scored CVEs.
- Low exploitation riskCVE-2026-482810.85% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 54% of all scored CVEs.
- Elevated exploitation riskCVE-2026-4828228.6% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 98% of all scored CVEs.
- Low exploitation riskCVE-2026-482830.63% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 46% of all scored CVEs.
- Low exploitation riskCVE-2026-482850.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
- Low exploitation riskCVE-2026-483070.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
- Moderate exploitation riskCVE-2026-483131.6% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 73% of all scored CVEs.
- Low exploitation riskCVE-2026-483140.33% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 25% of all scored CVEs.
- Low exploitation riskCVE-2026-483150.55% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 42% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-48276 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48277 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48281 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48282 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48283 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48285 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48307 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48313 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48314 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48315 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48316 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedAdobe security advisory (AV26-647) – Update 2cccs
- highexploitedCISA Adds One Known Exploited Vulnerability to Catalogcisa
- criticalexploitedCVE-2026-48282: Adobe ColdFusion Path Traversal Vulnerabilitycisa-kev
- criticalCVE-2026-48316: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation v…nvd
- unknownNCSC-2026-0217 [1.00] [M/H] Vulnerabilities fixed in Adobe ColdFusionncsc-nl
- unknownMultiple vulnerabilities in Adobe ColdFusion (July 1, 2026)cert-fr-avis
- criticalCVE-2026-48315: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation v…nvd
- mediumCVE-2026-48314: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pa…nvd
- criticalCVE-2026-48313: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pa…nvd
- highCVE-2026-48307: ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripti…nvd
- highCVE-2026-48285: ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery …nvd
- criticalCVE-2026-48283: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File…nvd
Recent advisories for Adobe ColdFusion
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- criticalexploitedCVE-2026-48282: Adobe ColdFusion Path Traversal Vulnerabilitycisa-kev · 2026-07-07
- unknownNCSC-2026-0217 [1.00] [M/H] Vulnerabilities fixed in Adobe ColdFusionncsc-nl · 2026-07-01
- unknownMultiple vulnerabilities in Adobe ColdFusion (July 1, 2026)cert-fr-avis · 2026-07-01
- criticalexploitedCVE-2017-3066: Adobe ColdFusion Deserialization Vulnerabilitycisa-kev · 2025-02-24
- criticalexploitedCVE-2024-20767: Adobe ColdFusion Improper Access Control Vulnerabilitycisa-kev · 2024-12-16
- criticalexploitedCVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Vulnerabilitycisa-kev · 2024-01-08
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10