Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-09
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2023.19, 2025.8 and earlier contain an improper input validation flaw that allows an attacker to execute arbitrary code with the privileges of the current user. The vulnerability does not require user interaction and changes the scope of the affected system, giving attackers the potential to seize full control of the application or underlying operating system.

Affected Systems

Adobe ColdFusion products: versions 2023.19, 2025.8 and any earlier releases; newer releases beyond 2025.8 are not affected according to the advisory.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity, and the lack of a listed KEV entry suggests the vulnerability is not yet widely documented in known exploit kits. The attack vector is inferred to be remote network-based, as the flaw can be triggered through crafted input to exposed ColdFusion services without any user interaction, making it suitable for automated exploitation.

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Adobe ColdFusion security update that fixes the improper input validation flaw as described in Adobe’s advisory.
  • Restrict inbound traffic to the ColdFusion application tier by configuring network or application firewalls to allow only trusted IP addresses and by blocking request patterns that match known malicious payloads.
  • Apply additional input sanitization at the application level or configure a web application firewall to filter out dangerous input before it reaches ColdFusion components.

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:33:36.440Z

Reserved: 2026-05-20T15:50:31.361Z

Link: CVE-2026-47928

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:22.700

Modified: 2026-06-09T21:17:22.700

Link: CVE-2026-47928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses