A critical improper input validation flaw in Adobe ColdFusion can allow unauthenticated attackers to execute arbitrary code over the network without user interaction.
What Is It
CVE-2026-48277 is an Improper Input Validation vulnerability (CWE-20) in Adobe ColdFusion. According to the NVD record, the flaw "could result in arbitrary code execution in the context of the current user." Exploitation does not require user interaction, and the vulnerability has a changed scope, meaning an exploit can affect resources beyond the initially vulnerable component. It carries a CVSS 3.1 base score of 10.0 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Why It Matters
The maximum-severity 10.0 rating reflects a worst-case combination: network-reachable (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact to confidentiality, integrity, and availability. An unauthenticated remote attacker can potentially run code and, due to the changed scope, pivot beyond the ColdFusion process. ColdFusion servers are frequently internet-facing application hosts, making this an attractive target.
No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.
What's Vulnerable
Per the NVD description, Adobe ColdFusion versions 2025.9, 2023.20 and earlier are affected. The NVD configuration data enumerates affected builds across the ColdFusion 2023 line (base release through update20) and the ColdFusion 2025 line (base release through update9).
Patch Status
Adobe published security bulletin APSB26-68 covering this issue. Administrators should consult that advisory for the fixed releases and apply the vendor-provided update to any affected ColdFusion 2023 or 2025 installation. Given the CVSS 10.0 severity and network exploitability without authentication, patching should be prioritized.
Sources
- NVD, CVE-2026-48277: https://nvd.nist.gov/vuln/detail/CVE-2026-48277
- Adobe Security Bulletin APSB26-68: https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html