Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-09
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2023.19, 2025.8 and all earlier releases contain an improper input validation flaw that allows attackers to execute arbitrary code in the context of the current user. Exploitation does not require user interaction, and an attacker with high privileges can run code potentially with elevated rights. The scope of the vulnerability has been changed to reflect this broader privilege escalation risk. The primary impact is remote code execution.

Affected Systems

Adobe ColdFusion versions 2023.19, 2025.8 and all earlier releases are affected. The vulnerability applies to the core ColdFusion engine regardless of deployment size or architecture. Administrators should verify that their Adobe ColdFusion installations match these versions before applying remediation.

Risk and Exploitability

The CVSS base score of 8.4 categorizes this as high severity, and the EPSS score is < 1% but the lack of user interaction requirement suggests that remote exploitation is possible. The vulnerability is not listed in the CISA KEV catalog, but its high impact necessitates immediate attention. Attackers could remotely send crafted input to the application, triggering code execution under the current user context and potentially escalating privileges if the application runs with elevated rights.

Generated by OpenCVE AI on June 24, 2026 at 09:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe ColdFusion than 2025.8 as per Adobe advisory.
  • If patching cannot be performed immediately, block traffic to the entry points that accept unvalidated input until a patch is available.
  • Implement temporary input validation or sanitization controls for all user‑supplied data is deployed.

Generated by OpenCVE AI on June 24, 2026 at 09:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue does not require user interaction. Scope is changed.

Mon, 15 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update19:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update8:*:*:*:*:*:*

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-23T21:53:07.112Z

Reserved: 2026-05-20T15:50:31.361Z

Link: CVE-2026-47931

cve-icon Vulnrichment

Updated: 2026-06-10T14:03:22.404Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T21:17:23.050

Modified: 2026-06-15T15:17:36.363

Link: CVE-2026-47931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:45:14Z

Weaknesses