CVE-2026-48282
Actively exploited. CVE-2026-48282 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-07-07) — exploitation has been observed in the wild, and US federal agencies are required to remediate it under BOD 22-01. Treat patching as urgent.
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2026-48282 is indexed in GitHub PoC and Nuclei. Expect opportunistic scanning and exploitation attempts — prioritize remediation.
Serial number: AV26–647 Date: July 2, 2026 Updated: July 7, 2026 On June 30, 2026, Adobe published security advisories to address critical vulnerabilities in the following products: Adobe ColdFusion 2025 – Update 9 and prior Adobe ColdFusion 2023 – Update 20 and prior Adobe Campaign Classic – version ACC v7: 7.4.3 build 9396 and prior Update 1 Open-source reporting indicates that CVE-2026-48282 is being exploited. Update 2 On July 7, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-48282 to their Known Exploited Vulnerabilities (KEV) Database. The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates. Security update available for Adobe ColdFusion | APSB26-68 Security updates available for Adobe Campaign Classic | APSB26-69 Adobe Security Advisories CISA KEV: CVE-2026-48282
CSIRTS triage
- What
- Critical vulnerabilities have been identified in Adobe ColdFusion.
- Who is affected
- Users and administrators of Adobe ColdFusion 2025 and 2023.
- Urgency
- Remediation is urgent due to the critical nature of the vulnerabilities and reports of exploitation.
- Action
- Apply the necessary updates as per the security advisories.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-48282
Get an email if CVE-2026-48282 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Exploitation confirmedAlready exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 98% of all EPSS-scored CVEs.
Exploit availability
Public exploit or proof-of-concept code for CVE-2026-48282 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.
- GitHub PoCPublic proof-of-concept repositories on GitHub reference this CVE.look it up ↗
- NucleiA nuclei-templates detection/PoC template exists for this CVE.look it up ↗
Advisory coverage (7)
- criticalexploitedAdobe security advisory (AV26-647) – Update 2cccs · 2026-07-07
- highexploitedCISA Adds One Known Exploited Vulnerability to Catalogcisa · 2026-07-07
- critical[UPDATE] [critical] Adobe ColdFusion: Multiple Vulnerabilitiescert-bund · 2026-07-07
- criticalexploitedCVE-2026-48282: Adobe ColdFusion Path Traversal Vulnerabilitycisa-kev · 2026-07-07
- unknownNCSC-2026-0217 [1.00] [M/H] Vulnerabilities fixed in Adobe ColdFusionncsc-nl · 2026-07-01
- unknownMultiple vulnerabilities in Adobe ColdFusion (July 1, 2026)cert-fr-avis · 2026-07-01
- criticalCVE-2026-48282: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pa…nvd · 2026-06-30
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-48282)