CISA Orders Patch for Critical Adobe ColdFusion Flaw and Three Other Actively Exploited Bugs
A perfect-10 severity vulnerability in Adobe ColdFusion is among four flaws now confirmed as actively exploited, putting federal agencies and private organisations on a tight patching deadline.

The US Cybersecurity and Infrastructure Security Agency added four actively exploited software vulnerabilities to its Known Exploited Vulnerabilities catalog on Tuesday, including a maximum-severity flaw in Adobe ColdFusion that researchers have rated a perfect 10.0 out of 10.
What landed on the KEV catalog and why it matters
The KEV catalog is not a theoretical watch list. Inclusion means CISA has confirmed active exploitation in the wild. Criminals are using these flaws right now, against real targets.
The headliner is CVE-2026-48282, a path traversal vulnerability in Adobe ColdFusion. Path traversal bugs let an attacker feed a crafted file path to a web server and coax it into reading, writing, or executing files that should be off-limits. In ColdFusion's case, Adobe warns the flaw can result in arbitrary code execution. That is about as bad as it sounds: a remote attacker who exploits this successfully can run any program they choose on the victim's server, steal data, plant malware, or pivot deeper into the corporate network.
A CVSS score of 10.0 is rare. It signals that the flaw is remotely exploitable, requires no authentication, demands no user interaction, and produces complete compromise when abused. The full technical record for CVE-2026-48282 sits in the National Vulnerability Database.
The other three entries cover Joomla, the open-source content management system that powers millions of websites globally, and Langflow, an increasingly popular platform developers use to connect large language models into working AI pipelines. CISA has not published full technical write-ups for each, but the KEV listing alone is the signal defenders need to act.
Who is affected and what is the deadline?
Under Binding Operational Directive 22-01, every US federal civilian agency must remediate any flaw appearing on the KEV catalog by the date CISA specifies, typically within two to three weeks of listing. For this batch, that deadline falls in early December. Non-compliance is not treated as an administrative inconvenience; it is a security posture failure that CISA tracks agency by agency.
Private companies are not legally bound by BOD 22-01, but CISA strongly urges them to treat KEV deadlines as their own. The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities was the most common initial access vector in breaches involving external parties, representing 14 percent of all breaches analysed. Attackers scan for unpatched ColdFusion and Joomla instances within hours of a flaw becoming public knowledge. The window between disclosure and first exploit attempt has collapsed to near-zero for high-severity CVEs.
Admins running ColdFusion should consult Adobe's security bulletin portal and apply the latest update immediately, without waiting for a scheduled maintenance window. Joomla site owners can push updates directly from the administrator dashboard. Langflow users should pull the newest release from the project's official repository.
The control failure: patch management and asset visibility
These four vulnerabilities illuminate a persistent and painful gap in organisational security practice: patch management that treats urgency as optional. ColdFusion has appeared on the KEV catalog before. So has Joomla. Repeat appearances from the same software families suggest that a meaningful portion of the organisations running these platforms are either unaware of the vulnerability, unable to act quickly due to change-management friction, or simply hoping the risk will pass. It will not.
The root control failure here is not a lack of technology. Most organisations have patch management tooling. The failure is procedural and cultural: teams do not treat externally accessible web application servers with the same urgency as endpoint devices, and asset inventories are often incomplete enough that administrators do not know they are running a vulnerable ColdFusion instance in the first place. You cannot patch what you do not know you own. Security frameworks including NIST SP 800-40 recommend organisations maintain a complete, continuously updated software inventory precisely for this reason.
For Langflow specifically, the risk profile is evolving fast. AI development pipelines are new terrain, and the developers building with tools like Langflow do not always come from security-first backgrounds. An open-source AI orchestration tool connected to production data and running on an internet-accessible server is a high-value target. The attack surface of AI infrastructure has expanded far faster than the security controls surrounding it.
What organisations should do this week
First, run an asset discovery sweep. Find every internet-facing server running ColdFusion, Joomla, or Langflow. Shadow IT is a real problem; the instance you do not know about is the one that gets exploited.
Second, apply patches in priority order based on internet exposure. Externally accessible servers go first, internal tools second.
Third, check your web application firewall rules. A WAF will not fully compensate for an unpatched path traversal flaw, but temporary virtual patching rules can reduce the attack surface while a proper fix is tested and deployed.
Fourth, review logs for signs of exploitation that may already have occurred. Path traversal attacks leave traces: unusual file access patterns, unexpected process spawning from web server accounts, and anomalous outbound connections from application servers. If you are running ColdFusion and have not patched CVE-2026-48282, treat the server as potentially compromised until confirmed otherwise.
Finally, consider the human dimension. Technical controls protect infrastructure, but the security team's ability to respond quickly depends on whether staff across IT and development understand what the KEV catalog is and why it carries urgency. Security awareness training that covers vulnerability management basics helps technical teams align on priority, and it helps non-technical stakeholders understand why a "routine update" sometimes needs to happen tonight rather than next quarter.
The CISA KEV catalog is publicly available and free to use. There is no excuse for not subscribing to it. Every organisation running commercial or open-source web software should have an automated process that checks new KEV entries against its own asset inventory the same day they are published.
How faster security awareness could have shortened the exposure window
- Run an immediate asset inventory sweep to identify every internet-facing server running ColdFusion, Joomla, or Langflow, including shadow IT instances outside formal IT records.
- Establish a standing policy that KEV catalog additions trigger same-day triage, not a routine change-management queue, for any affected externally accessible system.
- Brief development and IT operations staff on what the KEV catalog is and why its deadlines carry the same weight as a regulatory requirement, so patch urgency is understood across the team, not just by the CISO.
Train2Secure's security awareness programmes help technical and non-technical staff alike understand vulnerability management priorities so that the next critical patch gets applied before attackers get there first. Explore a [free trial](https://train2secure.com/free-trial) to see how it fits your team.
Start free, no card requiredSources & further reading
Frequently asked questions
What is CVE-2026-48282 and how serious is it?
CVE-2026-48282 is a path traversal vulnerability in Adobe ColdFusion that scores a maximum 10.0 on the CVSS severity scale. It allows a remote, unauthenticated attacker to execute arbitrary code on the affected server, meaning full compromise is possible without any user interaction.
Does this vulnerability affect my organisation if we are not a US federal agency?
Yes. CISA's patching deadline under Binding Operational Directive 22-01 applies only to federal civilian agencies, but CISA strongly urges all private organisations running ColdFusion, Joomla, or Langflow to apply fixes on the same timeline. Active exploitation means attackers are already scanning for vulnerable servers across the public internet.
Would enabling multi-factor authentication protect against these vulnerabilities?
Not directly. These are server-side vulnerabilities that are exploited before any login process occurs. MFA protects user accounts but does not prevent an attacker from exploiting a web application flaw at the server level. Patching is the required fix.
Where can I find the official CISA list of known exploited vulnerabilities?
The full catalog is published and regularly updated at cisa.gov/known-exploited-vulnerabilities-catalog. Organisations should subscribe to CISA alerts and check new entries against their own software inventory as a standing operational procedure.



