SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48277 2026-06-30

Adobe ColdFusion CVE-2026-48277: Critical CVSS 10.0 Remote Code Execution

"A critical improper input validation flaw in Adobe ColdFusion can allow unauthenticated attackers to execute arbitrary code over the network without user interaction."

A critical improper input validation flaw in Adobe ColdFusion can allow unauthenticated attackers to execute arbitrary code over the network without user interaction.

What Is It

CVE-2026-48277 is an Improper Input Validation vulnerability (CWE-20) in Adobe ColdFusion. According to the NVD record, the flaw "could result in arbitrary code execution in the context of the current user." Exploitation does not require user interaction, and the vulnerability has a changed scope, meaning an exploit can affect resources beyond the initially vulnerable component. It carries a CVSS 3.1 base score of 10.0 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Why It Matters

The maximum-severity 10.0 rating reflects a worst-case combination: network-reachable (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact to confidentiality, integrity, and availability. An unauthenticated remote attacker can potentially run code and, due to the changed scope, pivot beyond the ColdFusion process. ColdFusion servers are frequently internet-facing application hosts, making this an attractive target.

No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.

What's Vulnerable

Per the NVD description, Adobe ColdFusion versions 2025.9, 2023.20 and earlier are affected. The NVD configuration data enumerates affected builds across the ColdFusion 2023 line (base release through update20) and the ColdFusion 2025 line (base release through update9).

Patch Status

Adobe published security bulletin APSB26-68 covering this issue. Administrators should consult that advisory for the fixed releases and apply the vendor-provided update to any affected ColdFusion 2023 or 2025 installation. Given the CVSS 10.0 severity and network exploitability without authentication, patching should be prioritized.

Sources