Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper input validation that can allow an attacker to execute arbitrary code in the context of the user running ColdFusion. An attacker could inject malicious scripts into a web page or a file that, when opened by a victim, would allow the attacker to gain elevated access or control over the victim's account or session. The weakness is identified as CWE‑20 and the vulnerability scope is changed, meaning that code execution can potentially affect higher privilege contexts.

Affected Systems

Adobe ColdFusion versions 2025.9, 2023.20 and all earlier releases are affected.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. The EPSS score is currently not available, but the lack of a publicly known exploit suggests that attack likelihood remains low until a proof‑of‑concept emerges. However, exploitation requires a user to open a malicious file, meaning it is a user‑interaction attack. Because the vulnerability can change the overall scope, an attacker who succeeds can gain system‑wide privileges if proper safeguards are not applied. The vulnerability is not listed in the CISA KEV catalog, so there is currently no evidence of widespread exploitation.

Generated by OpenCVE AI on June 30, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch or upgrade to a fixed version of Adobe ColdFusion as detailed in the Adobe APSB26‑68 advisory.
  • If immediate patching is not possible, restrict the upload and download of files that could contain malicious scripts, and enforce strict input validation or sanitization on all file contents before processing.
  • Deploy a web application firewall or other runtime protection that blocks known malicious payloads and monitors for suspicious execution attempts, and audit logs for any signs of exploitation.

Generated by OpenCVE AI on June 30, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 30 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Title ColdFusion | Improper Input Validation (CWE-20)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T16:20:00.224Z

Reserved: 2026-05-21T15:28:38.137Z

Link: CVE-2026-48315

cve-icon Vulnrichment

Updated: 2026-06-30T16:19:57.095Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:00:13Z

Weaknesses
  • CWE-20

    Improper Input Validation