{"api_version":"1","generated_at":"2026-07-15T13:58:32+00:00","cve":"CVE-2026-48318","urls":{"html":"https://cve.report/CVE-2026-48318","api":"https://cve.report/api/cve/CVE-2026-48318.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48318","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48318"},"summary":{"title":"ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)","description":"ColdFusion is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.","state":"PUBLISHED","assigner":"adobe","published_at":"2026-07-14 21:16:58","updated_at":"2026-07-15 11:16:26"},"problem_types":["CWE-22","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)"],"metrics":[{"version":"3.1","source":"psirt@adobe.com","type":"Secondary","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","availabilityRequirement":"NOT_DEFINED","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":10,"environmentalSeverity":"CRITICAL","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"HIGH","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":9.9,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html","name":"https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html","refsource":"psirt@adobe.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48318","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48318","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Adobe","product":"ColdFusion 2025","version":"affected 10 semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"ColdFusion 2025","version":"unaffected 11 semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"ColdFusion 2023","version":"affected 21 semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"ColdFusion 2023","version":"unaffected 22 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-48318","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-15T03:59:58.028984Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-15T10:34:39.970Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"affected","product":"ColdFusion 2025","vendor":"Adobe","versions":[{"lessThanOrEqual":"10","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"11","versionType":"semver"}]},{"defaultStatus":"affected","product":"ColdFusion 2023","vendor":"Adobe","versions":[{"lessThanOrEqual":"21","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"22","versionType":"semver"}]}],"datePublic":"2026-07-14T17:00:00.000Z","descriptions":[{"lang":"en","value":"ColdFusion is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","availabilityRequirement":"NOT_DEFINED","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":10,"environmentalSeverity":"CRITICAL","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"HIGH","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":9.9,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T21:04:13.183Z","orgId":"078d4453-3bcd-4900-85e6-15281da43538","shortName":"adobe"},"references":[{"tags":["vendor-advisory"],"url":"https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html"}],"source":{"discovery":"EXTERNAL"},"title":"ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"078d4453-3bcd-4900-85e6-15281da43538","assignerShortName":"adobe","cveId":"CVE-2026-48318","datePublished":"2026-07-14T21:04:13.183Z","dateReserved":"2026-05-21T15:28:38.137Z","dateUpdated":"2026-07-15T10:34:39.970Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 21:16:58","lastModifiedDate":"2026-07-15 11:16:26","problem_types":["CWE-22","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)"],"metrics":{"cvssMetricV31":[{"source":"psirt@adobe.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-15T03:59:58.028984Z","id":"CVE-2026-48318","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48318","Ordinal":"1","Title":"ColdFusion | Improper Limitation of a Pathname to a Restricted D","CVE":"CVE-2026-48318","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48318","Ordinal":"1","NoteData":"ColdFusion is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.","Type":"Description","Title":"ColdFusion | Improper Limitation of a Pathname to a Restricted D"}]}}}