Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2023.19, 2025.8 and earlier contain a stored Cross‑Site Scripting vulnerability that allows a low‑privileged attacker to inject malicious JavaScript into form fields. Once a victim accesses the compromised page, the injected script executes in the victim’s browser, potentially defacing content, stealing session data or injecting further malware. The weakness is a classic input validation flaw (CWE‑79).

Affected Systems

Adobe ColdFusion running version 2023.19, 2025.8 or earlier is affected. The flaw is present in all installations of these versions that expose form input to the internet, regardless of operating platform.

Risk and Exploitability

The CVSS score of 4.8 indicates a low‑to‑moderate severity, and the EPSS score is unavailable but the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through legitimate form input; an attacker only needs to embed JavaScript into a form field such as a user profile or comment box and then persuade or trick an end user to visit the resulting page. Because the scope is changed, compromised credentials could affect all users with access to the affected system.

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent ColdFusion security update or patch as detailed in the Adobe advisory at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html
  • Implement strict input validation and output encoding for all form fields to ensure that user‑supplied data cannot contain executable scripts
  • Configure a Web Application Firewall or use application settings to block or sanitize scripts within form input before storage

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title ColdFusion | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:33:33.912Z

Reserved: 2026-05-20T15:50:31.361Z

Link: CVE-2026-47933

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:23.287

Modified: 2026-06-09T21:17:23.287

Link: CVE-2026-47933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:15:18Z

Weaknesses