A maximum-severity (CVSS 10.0) file-upload flaw in Adobe ColdFusion allows unauthenticated attackers to run arbitrary code over the network without user interaction.
What Is It
CVE-2026-48276 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in Adobe ColdFusion. According to the NVD record, the flaw "could result in arbitrary code execution in the context of the current user," and "exploitation of this issue does not require user interaction." The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 10.0 (CRITICAL) with a changed scope.
Why It Matters
Every metric points to a worst-case remote exploitation profile: network attack vector, low complexity, no privileges required, and no user interaction. Because scope is changed, a successful exploit can affect resources beyond the initially vulnerable component. The combination of unauthenticated arbitrary code execution and high impact to confidentiality, integrity, and availability is why this rates a full 10.0. No CISA KEV entry accompanying this record confirms active exploitation at the time of writing.
What's Vulnerable
Per Adobe's advisory and the NVD data, affected products are:
- Adobe ColdFusion 2025 (through 2025.9 / Update 9)
- Adobe ColdFusion 2023 (through 2023.20 / Update 20) and earlier
The NVD configuration data enumerates all ColdFusion 2023 updates (base through Update 20) and ColdFusion 2025 updates (base through Update 9) as vulnerable.
Patch Status
Adobe has published security bulletin APSB26-68 addressing this vulnerability. Administrators running affected ColdFusion 2025 or 2023 installations should apply the updates referenced in the Adobe advisory as the remediation path. Given the CVSS 10.0 severity and unauthenticated code-execution potential, patching should be treated as urgent.
Sources
- Adobe Security Bulletin APSB26-68 (Vendor Advisory), https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
- NVD, CVE-2026-48276, https://nvd.nist.gov/vuln/detail/CVE-2026-48276