Adobe has urged ColdFusion customers to patch their instances immediately after at least one maximum severity flaw was reported as being exploited by attackers.
The software giant released patches for 11 CVEs on June 30 in the APSB26-68 bulletin. Six of these were given a CVSS score of 10.
Security researchers flagged that CVE-2026-48282 was being targeted within hours of the vulnerability being made public.
It’s a path traversal flaw in the popular web app development platform which could lead to arbitrary code execution.
Read more on Adobe flaws: New Vulnerabilities Found in Adobe ColdFusion
There are 775 exposed ColdFusion instances online, according to data from the ShadowServer Foundation.
CVE-2026-48282, and the other vulnerabilities listed in APSB26-68 were not in CISA’s Known Exploited Vulnerabilities catalog at the time of writing, but that will surely change.
The maximum severity bugs are particularly dangerous, as exploitation does not require user interaction.
Adobe Changes its Patching Cadence
Concerned about the impact AI is having on the exploitation window, Adobe announced in June that it would be moving from a monthly to twice-monthly publication of security advisories.
“Twice-monthly bulletins will enable us to keep pace with the era of frontier AI. More vulnerabilities found means more fixes to deploy and a once-a-month publication window is no longer fast enough to stay ahead of our adversaries,” explained Adobe chief security officer, Aanchal Gupta.
“This new cadence is the direct result of investing in improved vulnerability discovery. AI accelerates discovery, but resilience still rests on the fundamentals: visibility, layered controls, continuous monitoring, and the discipline to ship fixes quickly once they are found.”
Adobe said it is still not aware of any exploits in the wild for CVE-2026-48282 or other flaws published in the APSB26-68 bulletin.
However, it’s ColdFusion offering is a popular target for attackers. In 2023, threat actors targeted the platform in crypto-mining, DDoS and other attacks.
