Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
Published: 2026-06-30
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected Cross‑Site Scripting flaw exists in ColdFusion versions 2025.9, 2023.20 and earlier. The flaw allows an attacker to inject malicious scripts into a page that is returned to a user. If the victim opens the crafted link, the injected code runs in their browser context, potentially granting the attacker the ability to execute arbitrary code with the victim’s privileges. The vulnerability escalates the scope of affected resources, increasing the potential impact on the system.

Affected Systems

Adobe ColdFusion, versions 2025.9, 2023.20 and all earlier releases.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score is not available, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The attack vector is web‑based and requires a user to open a malicious link; the vulnerability can be exploited remotely through normal web traffic.

Generated by OpenCVE AI on June 30, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update released by Adobe for ColdFusion, as detailed in the Adobe advisory.
  • Limit exposure of the affected ColdFusion endpoints by restricting access to a trusted network or implementing firewall rules.
  • Enforce a robust Content Security Policy that blocks inline scripts and restricts script sources to trusted domains.

Generated by OpenCVE AI on June 30, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
Title ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T15:11:59.429Z

Reserved: 2026-05-21T15:28:38.136Z

Link: CVE-2026-48307

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')