The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Adobe ColdFusion flaw to its Known Exploited Vulnerabilities catalog after finding evidence that attackers are already using it in the wild. The bug, tracked as CVE-2026-48282, is a path traversal weakness, meaning it lets an attacker step outside the folders an application is supposed to stay within and reach files or code that should be off limits.
Because ColdFusion runs on many public facing enterprise web servers, an actively exploited path traversal is exactly the kind of bug ransomware crews and access brokers race to abuse. The listing follows Adobe's early July emergency patches for a batch of critical ColdFusion code execution flaws, and comes after researchers watched intruders plant web shells and dump credentials following a ColdFusion break in.
What CISA flagged
CVE-2026-48282 was not the only vulnerability CISA listed this week. On the same day the agency added three more flaws it says are under active attack: CVE-2026-55255, an authorization bypass in the Langflow AI application builder; CVE-2026-48908, an unrestricted file upload bug in JoomShaper SP Page Builder; and CVE-2026-56290, an improper access control flaw in Joomlack Page Builder. The two Joomla website builders and the Langflow tool are all internet reachable by design, which is what makes them attractive targets. Langflow has drawn attackers before, when crews hijacked exposed servers to mine cryptocurrency.
Why it matters
Under Binding Operational Directive 26-04, federal civilian agencies must remediate catalog listed bugs by a set deadline, but CISA urges every organization to treat the list as a priority. A path traversal in ColdFusion can be the first step toward web shell deployment, credential theft, and full server takeover.
What you should do
Apply Adobe's latest ColdFusion security updates immediately and confirm your installed version is patched. Update Langflow, SP Page Builder, and Joomlack Page Builder to fixed releases. Because these flaws are already being exploited, also hunt for signs of prior compromise, such as unexpected files, new administrative accounts, or outbound connections from the affected servers, rather than assuming patching alone closes the door.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.