Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-30
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2025.9, 2023.20 and any earlier releases are susceptible to an unrestricted file upload flaw that permits the uploading of files with dangerous types. This weakness can lead to arbitrary code execution in the context of the current user. Because the attack does not require user interaction and the scope is altered, a successful exploit allows the attacker to gain the privileges of the application or server process, potentially compromising the entire system.

Affected Systems

The vulnerability affects Adobe ColdFusion across all versions up to and including 2025.9 and 2023.20. No specific sub‑product or edition is excluded, so all typical ColdFusion deployments running those releases are impacted. Vendors should verify that their installations match these version numbers.

Risk and Exploitability

The CVSS score of 10 indicates a critical risk level. The EPSS score is not available, so the current exploitation probability cannot be quantified, but the zero‑interaction nature and scope change suggest a high likelihood of exploitation in active environments. The vulnerability is not listed in the CISA KEV catalog, yet the severity warrants immediate attention.

Generated by OpenCVE AI on June 30, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe ColdFusion to a version released after 2025.9 or 2023.20 that contains the vendor‑issued fix.
  • If an upgrade is not immediately possible, configure the application or web server to reject uploads of files with dangerous MIME types and extensions before they reach the ColdFusion engine.
  • Implement strict input validation and MIME type checks in the file upload handling logic to ensure only allowed file types are accepted.

Generated by OpenCVE AI on June 30, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 30 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434)
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T16:20:18.175Z

Reserved: 2026-05-21T15:28:38.134Z

Link: CVE-2026-48283

cve-icon Vulnrichment

Updated: 2026-06-30T16:20:15.693Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:00:13Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type