Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-30
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2025.9, 2023.20 and all earlier releases contain an improper input validation flaw that permits attackers to execute arbitrary code within the context of the user running the server. This flaw is classified as CWE‑20 and enables full control over the application server, potentially compromising confidentiality, integrity and availability of the system.

Affected Systems

The affected product is Adobe ColdFusion, specifically versions 2025.9, 2023.20 and any release prior to 2025.9.

Risk and Exploitability

The CVSS score of 10.0 denotes a critical severity. Exploitation does not require user interaction and the changed scope raises the potential for privilege escalation. The vulnerability is not listed in the CISA KEV catalog, and no EPSS score is provided in the advisory, although the high CVSS and absence of user interaction indicate it is a likely target for attackers.

Generated by OpenCVE AI on June 30, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a version released after 2025.9 that resolves the input validation issue.
  • If a patch is not yet available, isolate the ColdFusion instance from untrusted networks and enforce strict access controls on the server to limit exposure.
  • Configure web application firewalls or application layer security controls to block anomalous input that could trigger the flaw.
  • Monitor application and system logs for signs of exploitation, such as unexpected script execution or changes in permission settings.

Generated by OpenCVE AI on June 30, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T16:06:27.957Z

Reserved: 2026-05-21T15:28:38.133Z

Link: CVE-2026-48281

cve-icon Vulnrichment

Updated: 2026-06-30T16:06:21.479Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:00:13Z

Weaknesses
  • CWE-20

    Improper Input Validation