CVE-2026-48282
CriticalCVSS 10.0Exploitation Probability (EPSS)
Elevated risk59th percentile — higher than 59% of all known CVEs
Summary
A Path Traversal vulnerability in ColdFusion versions 2025.9, 2023.20 and earlier allows a remote attacker to execute arbitrary code in the context of the current user without requiring user interaction. The issue stems from improper limitation of a pathname to a restricted directory.
Risk Assessment
An attacker can take control of the ColdFusion server by executing malicious code, leading to compromise of data confidentiality, integrity, and system availability.
Recommendation
Immediately update ColdFusion to version 2025.10 or later (for the 2025 line) and to version 2023.21 or later (for the 2023 line).
Original NVD description (English source)
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

