Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-30
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Input Validation flaw (CWE-20) that can lead to arbitrary code execution in the web application's current user context. No user interaction is required when an attacker supplies specially crafted input, and the flaw can change the scope of the compromised system. An attacker who exploits this could execute any commands with the privileges of the application user, compromising confidentiality, integrity, and availability.

Affected Systems

Affected products are Adobe ColdFusion versions 2025.9, 2023.20 and any earlier releases. These systems remain vulnerable until patched or upgraded to a non‑affected version.

Risk and Exploitability

The CVSS score of 10.0 indicates maximum severity, and the EPSS score is currently not available, leaving uncertain the current exploitation probability. The issue is not listed in the CISA KEV catalog, but the lack of a KEV listing does not mitigate the high risk. Attackers can likely exploit remotely through HTTP requests without user interaction, potentially gaining full control of the application server.

Generated by OpenCVE AI on June 30, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ColdFusion security update from Adobe immediately.
  • Sanitize all user-supplied input on the server side to enforce strict validation rules.
  • Implement a Web Application Firewall to block anomalous requests that could trigger the flaw.

Generated by OpenCVE AI on June 30, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T15:12:01.718Z

Reserved: 2026-05-21T15:28:38.133Z

Link: CVE-2026-48277

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses
  • CWE-20

    Improper Input Validation