The U.S. Cybersecurity and Infrastructure Security Agency added four vulnerabilities to its Known Exploited Vulnerabilities catalog on Tuesday, confirming active exploitation in the wild.
The most severe flaw is CVE-2026-48282, a path traversal vulnerability affecting Adobe ColdFusion with a CVSS score of 10.0. This vulnerability allows attackers to execute arbitrary code within the ColdFusion application context, giving them direct access to the hosting server and any data processed by the application.
CISA's KEV catalog tracks security flaws that have confirmed active exploitation. Inclusion on this list signals federal agencies and critical infrastructure operators to prioritize patching. Organizations running affected software face direct risk from threat actors already weaponizing these flaws.
The advisory indicates at least three additional vulnerabilities across Joomla and Langflow platforms also made the list, though specific CVE details for those flaws remain incomplete in available reporting. The presence of multiple actively exploited flaws across different software vendors suggests coordinated scanning and exploitation efforts by threat actors.
Adobe ColdFusion remains a persistent target for remote attackers. The platform handles sensitive business logic and databases for many organizations. Path traversal flaws in particular allow attackers to bypass directory restrictions and access files outside intended directories, potentially exposing configuration files containing database credentials and API keys.
Organizations running Adobe ColdFusion, Joomla installations, or Langflow deployments should immediately check for available security patches and apply them without delay. Those unable to patch immediately should segment affected systems from critical networks and monitor access logs for suspicious file access patterns.
The timing of CISA's notification reflects the agency's commitment to improving visibility into exploited vulnerabilities. Federal agencies must address KEV-listed flaws within 15 days under binding operational directives. Private sector organizations should treat this timeline as a baseline for
