Description
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.
Published: 2026-04-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass
Action: Patch Now
AI Analysis

Impact

ColdFusion versions 2023.18, 2025.6 and earlier suffer from an improper input validation flaw that allows an attacker to bypass built‑in security controls. The vulnerability is listed as CWE-20 and can lead to unauthorized execution of privileged actions or access to protected resources. Exploitation of this issue requires the attacker to deliver malicious input that circumvents the expected validation logic.

Affected Systems

Adobe describes the affected products as ColdFusion releases up to and including 2025.6, specifically 2023.18 and any earlier builds. Administrators should verify whether their deployment falls within these versions.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity consequence, though exploitation requires user interaction, which reduces the immediacy of risk compared to purely remote attacks. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation in the wild. The likely attack vector involves a crafted input sent to a publicly exposed ColdFusion application, prompting the victim to submit data that bypasses security checks.

Generated by OpenCVE AI on April 14, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe ColdFusion to a version released after 2025.6 that addresses the input validation flaw.
  • Implement strict input validation or whitelisting for all user‑supplied data to prevent similar bypasses.
  • Enforce least privilege and restrict access to administrative features within ColdFusion to minimize potential damage if a bypass occurs.

Generated by OpenCVE AI on April 14, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-15T17:42:33.468Z

Reserved: 2026-02-18T22:02:41.390Z

Link: CVE-2026-27282

cve-icon Vulnrichment

Updated: 2026-04-15T17:42:30.728Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-14T22:16:29.257

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses