Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-30
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions up to 2025.9 and 2023.20 allow an attacker to upload any file type without restriction, enabling execution of that file in the context of the current user. Because the vulnerability changes scope, the attacker can gain privileges beyond the initial user and run arbitrary code. No user interaction is required.

Affected Systems

The affected products are Adobe ColdFusion software versions 2025.9, 2023.20 and all earlier releases. The vulnerability is present in all those releases, regardless of deployment environment.

Risk and Exploitability

The CVSS score of 10 highlights the vulnerability as critical. Since execution can occur without any user action, an attacker could exploit a publicly reachable upload endpoint to deliver a malicious script or binary. The lack of an EPSS score is neutral, but the absence from KEV suggests no known public exploitation yet. However, the ability to change scope and run arbitrary code makes it highly dangerous.

Generated by OpenCVE AI on June 30, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official security patch from Adobe or upgrade to a later release that removes the vulnerability.
  • Restrict the file upload functionality to only permit safe MIME types and file extensions, and validate the content before storage.
  • Disable file upload features that are not needed in your environment.
  • Employ a web application firewall to block known malicious payloads targeting upload endpoints.
  • Ensure that uploaded files are stored in a directory that does not allow execution privileges.

Generated by OpenCVE AI on June 30, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434)
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T15:11:57.918Z

Reserved: 2026-05-21T15:28:38.133Z

Link: CVE-2026-48276

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type