CVE-2026-48282
CRITICAL KEV NUCLEIColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Title source: cnaExploitation Summary
CVE-2026-48282 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 7, 2026. EIP tracks 4 public exploits from researchers including HORKimhab, g0thamRabb1t, imbas007. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository does not contain exploit code or technical analysis for CVE-2026-48282. Instead, it lists external links (including a GitHub repo and an encrypted archive) without providing any functional PoC, root cause details, or patch analysis. The README reads like a placeholder with no depth.
Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Exploits (4)
This repository does not contain exploit code or technical analysis for CVE-2026-48282. Instead, it lists external links (including a GitHub repo and an encrypted archive) without providing any functional PoC, root cause details, or patch analysis. The README reads like a placeholder with no depth.
This repository provides a detailed technical analysis of CVE-2026-48282, a vulnerability in Adobe ColdFusion Remote Development Services (RDS) that allows arbitrary file write and remote code execution (RCE) via improper authentication and FILEIO operations. The reports document the vulnerability's root cause, exploitation methodology, evidence collection, and detection logic without including functional exploit code.
This exploit targets a path traversal vulnerability (CVE-2026-48282) in Adobe ColdFusion's Remote Development Service (RDS) via the /CFIDE/main/ide.cfm endpoint. It enables unauthenticated arbitrary file read/write, leading to remote code execution by writing a webshell to the webroot.
This repository provides a detailed technical analysis of CVE-2026-48282, a Remote Development Services (RDS) authentication bypass and arbitrary file write vulnerability in Adobe ColdFusion 2025 Update 9, leading to remote code execution (RCE). The analysis includes evidence collection, detection logic, and mitigation guidance but intentionally omits exploit code.
Nuclei Templates (1)
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H