Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, the Canadian Center for Cyber Security (CCCS) warned on Thursday.

ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.

Adobe released security updates on Tuesday to address the vulnerability, saying that it posed a high risk of exploitation and urging admins to deploy patches immediately.

"This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform," Adobe noted. "Adobe recommends administrators install the update as soon as possible (for example, within 72 hours)."

Two days later, CCCS, the Government of Canada authority that coordinates the country's national response to any cybersecurity incidents, warned that threat actors have already begun exploiting CVE-2026-48282 and prompted defenders to secure their systems against ongoing attacks.