Description
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-04-14
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an Improper Input Validation flaw in Adobe ColdFusion that can lead to arbitrary code execution in the context of the current user. An attacker with elevated privileges could cause a victim to run malicious code simply by opening a specially crafted file, resulting in loss of confidentiality, integrity, and availability for that account.

Affected Systems

Adobe ColdFusion versions 2023.18, 2025.6, and all earlier releases are affected. The vulnerability exists across these releases and can be exercised via the ColdFusion File or object handling mechanisms.

Risk and Exploitability

The flaw carries a CVSS score of 8.4, indicating a high severity risk. Because the exploit requires privileged account access and user interaction, the realistic attack surface is limited, and the issue is not listed in CISA’s KEV catalog. The primary attack vector is a malicious file that a victim must open, so the risk is highest when the ColdFusion environment is exposed to untrusted users or files.

Generated by OpenCVE AI on April 14, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe’s latest ColdFusion patch or upgrade to a version newer than 2025.6 to remediate the input validation flaw.
  • Restrict the ColdFusion service account to the minimum privileges required, avoiding administrative rights.
  • Limit or disable file upload and opening features, and enforce strict file type validation to block malicious files.

Generated by OpenCVE AI on April 14, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update6:*:*:*:*:*:*

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Wed, 15 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-15T09:13:11.287Z

Reserved: 2026-02-18T22:02:41.401Z

Link: CVE-2026-27306

cve-icon Vulnrichment

Updated: 2026-04-15T09:07:29.858Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T22:16:29.730

Modified: 2026-04-16T14:41:48.607

Link: CVE-2026-27306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses
  • CWE-20

    Improper Input Validation