Adobe issued a new Priority 1 ColdFusion security advisory on July 14, 2026 — the second time in two weeks it has patched the same product at Priority 1 severity. This batch resolves 13 ColdFusion vulnerabilities, eight of which are rated Critical: the lead CVE-2026-48318 is a path traversal flaw scoring CVSS 9.9 that can lead to arbitrary code execution, accompanied by code injection, improper input validation, missing authentication, SQL injection, and incorrect authorization bugs. Fixed versions are ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22. Adobe says it is not aware of active exploitation at time of disclosure — but the prior ColdFusion advisory (APSB26-68, two weeks earlier) was exploited within hours of release, making speed critical.
What the Vulnerabilities Are
Adobe’s July 14 advisory introduces a second batch of critical ColdFusion CVEs entirely distinct from the APSB26-68 batch patched July 1. The eight critical issues span multiple vulnerability classes:
| CVE | Vulnerability Class | Potential Impact |
|---|---|---|
| CVE-2026-48318 | Path Traversal | Arbitrary code execution |
| CVE-2026-48322 | Code Injection | Arbitrary code execution |
| CVE-2026-48284 | Improper Input Validation | Arbitrary code execution |
| CVE-2026-48321 | Missing Authentication | Privilege escalation |
| CVE-2026-48325 | SQL Injection | Arbitrary code execution |
| CVE-2026-48319 | Incorrect Authorization | Arbitrary code execution |
| CVE-2026-48324 | Code Injection | Arbitrary code execution |
| CVE-2026-48327 | Privilege Escalation | Privilege escalation |
CVE-2026-48318 (CVSS 9.9) is the headline bug. Path traversal vulnerabilities in ColdFusion have a particularly dangerous history — CVE-2026-48282 from the previous advisory (APSB26-68) was exactly this class and was exploited in the wild within hours of public disclosure, reading Windows system files such as C:\Windows\win.ini from internet-exposed ColdFusion servers. CVE-2026-48318 is a fresh traversal flaw distinct from that CVE but in the same product and product area.
The five remaining (non-critical) vulnerabilities in this advisory are rated Important and are addressed by the same ColdFusion 2025 Update 11 / 2023 Update 22 patch.
Why It Matters
- ColdFusion servers are a high-value target. They typically run in enterprise environments handling e-commerce, government portals, financial systems, and healthcare applications. A single compromised ColdFusion server often means access to sensitive databases and connected systems.
- The prior advisory was weaponized within hours of disclosure. APSB26-68’s CVE-2026-48282 (a path traversal rated CVSS 10.0) was added to CISA’s Known Exploited Vulnerabilities catalog and saw automated exploitation attempts the same day it was published. Attackers actively monitor Adobe advisories.
- Two rounds of Priority 1 patches in two weeks means the attack surface isn’t fully closed. Running Update 10 / Update 21 (the previous patch) is no longer sufficient. Only Update 11 / Update 22 addresses this new batch.
- Priority 1 is Adobe’s highest urgency tier. It means Adobe believes the vulnerability is at risk of being exploited in the wild in the near term and urges patching within 72 hours.
Am I Affected?
You are affected if you run on-premises ColdFusion on any platform and have not yet applied:
- ColdFusion 2025: You are affected if your version is below Update 11
- ColdFusion 2023: You are affected if your version is below Update 22
To check your current update level, log into the ColdFusion Administrator and go to Server Update → Updates → Settings.
ColdFusion hosted via Adobe’s cloud or ColdFusion as a service (where Adobe manages patching) may be updated automatically — verify with your provider.
You are NOT affected if:
- You are running ColdFusion 2025 Update 11 or higher
- You are running ColdFusion 2023 Update 22 or higher
Note: ColdFusion 2021 reached end of extended support in November 2025 and receives no patches for this advisory. If you are still on ColdFusion 2021, migration to a supported version is urgent.
What to Do About It: Step-by-Step
1. Check your ColdFusion version:
Log in to the ColdFusion Administrator (typically http://yourserver/CFIDE/administrator/):
- Navigate to: Server Update → Updates → Installed Updates
- Note the current update number
2. Apply the patch:
- ColdFusion 2025: Install Update 11
- ColdFusion 2023: Install Update 22
From the ColdFusion Administrator:
- Go to Server Update → Updates → Available Updates
- Select the update and click Download and Install
Alternatively, download the update directly from Adobe’s security bulletins page and apply manually.
3. Restart the ColdFusion application server after patching:
# Linux (service name may vary):
sudo systemctl restart coldfusion
# Windows (via Services or command line):
net stop "ColdFusion <version> Application Server"
net start "ColdFusion <version> Application Server"
4. Harden ColdFusion if you haven’t already (these do not substitute for patching, but reduce attack surface):
- Restrict
/CFIDE/access to admin IPs only via your web server/WAF. Add to NGINX config:location /CFIDE/ { allow 192.168.1.0/24; # replace with your admin IP range deny all; } - Enable ColdFusion’s built-in Sandbox Security for multi-tenant environments.
- Block direct internet access to the ColdFusion Administrator port (9000/8500 depending on configuration).
- Enable your WAF’s path traversal rules (e.g., ModSecurity CRS rule group
REQUEST-930-APPLICATION-ATTACK-LFI).
5. Look for signs of exploitation (indicators from the prior advisory’s attack pattern):
# Check ColdFusion access logs for path traversal attempts:
grep -E "\.\./|\.\.\\\\|\%2e\%2e|%252e%252e" /var/log/coldfusion/access.log
# Look for suspicious script files written to the CF webroot:
find /opt/coldfusion/cfusion/wwwroot -name "*.cfm" -newer /var/log/coldfusion/access.log -mtime -7
# Windows equivalent (PowerShell):
Get-ChildItem "C:\ColdFusion2025\cfusion\wwwroot" -Recurse -Filter "*.cfm" |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
Quick-Win Checklist
- Log into ColdFusion Administrator and confirm current update version
- Apply ColdFusion 2025 Update 11 or ColdFusion 2023 Update 22 immediately
- Restart ColdFusion application server after patching
- Block
/CFIDE/and admin ports from public internet access - Enable WAF path traversal rules
- Audit ColdFusion webroot for unexpected
.cfmfiles added in the last 7 days - Verify you are NOT on ColdFusion 2021 (EOL — no patches)
- Subscribe to Adobe security bulletins: helpx.adobe.com/security/security-bulletin.html