SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48276 2026-06-30

CVE-2026-48276: Critical Unauthenticated Code Execution in Adobe ColdFusion

"A maximum-severity (CVSS 10.0) file-upload flaw in Adobe ColdFusion allows unauthenticated attackers to run arbitrary code over the network without user interaction."

A maximum-severity (CVSS 10.0) file-upload flaw in Adobe ColdFusion allows unauthenticated attackers to run arbitrary code over the network without user interaction.

What Is It

CVE-2026-48276 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in Adobe ColdFusion. According to the NVD record, the flaw "could result in arbitrary code execution in the context of the current user," and "exploitation of this issue does not require user interaction." The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 10.0 (CRITICAL) with a changed scope.

Why It Matters

Every metric points to a worst-case remote exploitation profile: network attack vector, low complexity, no privileges required, and no user interaction. Because scope is changed, a successful exploit can affect resources beyond the initially vulnerable component. The combination of unauthenticated arbitrary code execution and high impact to confidentiality, integrity, and availability is why this rates a full 10.0. No CISA KEV entry accompanying this record confirms active exploitation at the time of writing.

What's Vulnerable

Per Adobe's advisory and the NVD data, affected products are:

The NVD configuration data enumerates all ColdFusion 2023 updates (base through Update 20) and ColdFusion 2025 updates (base through Update 9) as vulnerable.

Patch Status

Adobe has published security bulletin APSB26-68 addressing this vulnerability. Administrators running affected ColdFusion 2025 or 2023 installations should apply the updates referenced in the Adobe advisory as the remediation path. Given the CVSS 10.0 severity and unauthenticated code-execution potential, patching should be treated as urgent.

Sources