Attackers are exploiting a maximum-severity Adobe ColdFusion flaw tracked as CVE-2026-48282, with KEVIntel saying it saw in-the-wild abuse within two hours of Adobe’s disclosure. The issue affects ColdFusion 2025.9, 2023.20 and earlier, and can let unauthenticated attackers gain remote code execution on unpatched systems.
KEY FACTS
- Flaw CVE-2026-48282 affects Adobe ColdFusion and carries maximum severity.
- Impact Unprivileged attackers can gain remote code execution on vulnerable systems.
- Timeline Adobe issued patches on Tuesday, and exploitation was reported shortly after.
- Response The Canadian Center for Cyber Security urged defenders to apply updates.
Adobe said the update addresses vulnerabilities that are being targeted or face a higher risk of targeting in the wild, and urged administrators to install it within 72 hours. The company said last week that it was not aware of exploits in the wild for the issues covered in that round of updates.
In a Canadian Center for Cyber Security advisory, the agency said open-source reporting indicated that CVE-2026-48282 was being exploited. Shadowserver now tracks nearly 800 Adobe ColdFusion instances exposed online, although it is not clear how many are honeypots or have been secured.
ColdFusion is a commercial web application development platform used to build and deploy enterprise websites. Adobe also recently patched six other maximum-severity flaws in ColdFusion and Campaign Classic, and in April it issued emergency fixes for an Acrobat Reader zero-day that had been abused for months.
Since November 2021, CISA has listed 79 Adobe vulnerabilities in its catalog of known exploited flaws, 10 of them tied to ransomware activity.
WHY IT MATTERS
CVE-2026-48282 can let attackers take control of exposed ColdFusion systems without credentials, which makes delayed patching risky. Organizations running affected versions face immediate exposure until updates are installed and systems are checked for compromise.

