Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2023.19, 2025.8 and earlier contain a stored Cross‑Site Scripting vulnerability that allows a low‑privileged attacker to inject malicious JavaScript into form fields. Once a victim accesses the compromised page, the injected script executes in the victim’s browser, potentially defacing content, stealing session data or injecting further malware. The weakness is a classic input validation flaw (CWE‑79).

Affected Systems

Adobe ColdFusion running version 2023.19, 2025.8 or earlier is affected. The flaw is present in all installations of these versions that expose form input to the internet, regardless of operating platform.

Risk and Exploitability

The CVSS score of 4.8 indicates a low‑to‑moderate severity, and the EPSS score is unavailable but the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through legitimate form input; an attacker only needs to embed JavaScript into a form field such as a user profile or comment box and then persuade or trick an end user to visit the resulting page. Because the scope is changed, compromised credentials could affect all users with access to the affected system.

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent ColdFusion security update or patch as detailed in the Adobe advisory at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html
  • Implement strict input validation and output encoding for all form fields to ensure that user‑supplied data cannot contain executable scripts
  • Configure a Web Application Firewall or use application settings to block or sanitize scripts within form input before storage

Generated by OpenCVE AI on June 9, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update19:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update8:*:*:*:*:*:*

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title ColdFusion | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-10T13:23:10.253Z

Reserved: 2026-05-20T15:50:31.361Z

Link: CVE-2026-47933

cve-icon Vulnrichment

Updated: 2026-06-10T13:23:03.852Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T21:17:23.287

Modified: 2026-06-15T15:11:40.797

Link: CVE-2026-47933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:15:18Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')