CVE Catalog

CVE-2026-48282

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.02%

59th percentile — higher than 59% of all known CVEs

Summary

A Path Traversal vulnerability in ColdFusion versions 2025.9, 2023.20 and earlier allows a remote attacker to execute arbitrary code in the context of the current user without requiring user interaction. The issue stems from improper limitation of a pathname to a restricted directory.

Risk Assessment

An attacker can take control of the ColdFusion server by executing malicious code, leading to compromise of data confidentiality, integrity, and system availability.

Recommendation

Immediately update ColdFusion to version 2025.10 or later (for the 2025 line) and to version 2023.21 or later (for the 2023 line).

Original NVD description (English source)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS