Latest Adobe ColdFusion vulnerabilities: Multiple CVEs #
Adobe disclosed (via bulletin ID APSB26-68) multiple vulnerabilities in their ColdFusion rapid application development product that could allow an attacker to execute arbitrary code on vulnerable systems, or disclose the contents of arbitrary files.
- CVE-2026-48276: Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. This vulnerability is considered critical with a CVSS score of 10.0.
- CVE-2026-48277: Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. This vulnerability is considered critical with a CVSS score of 10.0.
- CVE-2026-48281: Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. This vulnerability is considered critical with a CVSS score of 10.0.
- CVE-2026-48282: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. This vulnerability is considered critical with a CVSS score of 10.0.
- CVE-2026-48283: Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. This vulnerability is considered critical with a CVSS score of 10.0.
- CVE-2026-48313: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. This vulnerability is considered critical with a CVSS score of 9.3.
- CVE-2026-48315: Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. This vulnerability is considered critical with a CVSS score of 9.3.
- CVE-2026-48307: Reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability is considered high with a CVSS score of 8.8.
- CVE-2026-48285: Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. This vulnerability is considered high with a CVSS score of 8.6.
What is Adobe ColdFusion? #
Adobe ColdFusion is a commercial rapid web-application development platform that runs on top of Java and uses its own simplified scripting language, ColdFusion Markup Language (CFML). It is primarily designed to easily connect dynamic web pages to databases and streamline complex enterprise tasks with minimal code.
What is the impact? #
Successfully exploiting one of these vulnerabilities could allow an attacker to execute arbitrary code on the vulnerable system, or disclose the contents of arbitrary files.
ColdFusion 2025.9, 2023.20, and earlier versions are vulnerable.
Are updates or workarounds available? #
Adobe has released updates that address these vulnerabilities and users are advised to upgrade as quickly as possible.
How do I find potentially vulnerable systems with runZero? #
From the Software Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:=Adobe AND product:ColdFusion
April 2025: Adobe ColdFusion vulnerabilities #
On April 8, 2025, Adobe disclosed (via bulletin ID APSB25-15) multiple vulnerabilities in their ColdFusion rapid application development product that could allow an attacker to execute arbitrary code on vulnerable systems, or disclose the contents of arbitrary files.
What was the impact? #
Successfully exploiting one of these vulnerabilities could allow an attacker to execute arbitrary code on the vulnerable system, or disclose the contents of arbitrary files.
ColdFusion 2021, 2023, and 2025 were vulnerable.
Were updates or workarounds available? #
Adobe released updates that addressed these vulnerabilities and users were advised to upgrade as quickly as possible.
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
product:ColdFusion