Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-09
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves improper input validation that allows an attacker to execute arbitrary code within the context of the current user on affected ColdFusion installations. This flaw is classified as CWE‑20 and can compromise confidentiality, integrity, and availability, since the attacker gains full execution rights without any user interaction. The description indicates a scope change, meaning the exploit can affect both the application and the underlying operating system if the application runs with elevated privileges.

Affected Systems

Adobe ColdFusion versions 2023.19, 2025.8 and all earlier releases are affected. The vulnerability applies to the core ColdFusion engine regardless of deployment size or architecture. Administrators should verify that their Adobe ColdFusion installations match these versions before applying remediation.

Risk and Exploitability

The CVSS base score of 8.4 categorizes this as high severity, and the EPSS score is not available but the lack of user interaction requirement suggests that remote exploitation is possible. The vulnerability is not listed in the CISA KEV catalog, but its high impact necessitates immediate attention. Attackers could remotely send crafted input to the application, triggering code execution under the current user context and potentially escalating privileges if the application runs with elevated rights.

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe ColdFusion patch or upgrade to a version newer than 2025.8 as per Adobe advisory.
  • If patching cannot be performed immediately, block traffic to the entry points that accept unvalidated input until a patch is available.
  • Implement temporary input validation or sanitization controls for all user‑supplied data to mitigate exposure until the official fix is deployed.

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:33:35.611Z

Reserved: 2026-05-20T15:50:31.361Z

Link: CVE-2026-47931

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:23.050

Modified: 2026-06-09T21:17:23.050

Link: CVE-2026-47931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses