SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48284 2026-07-14

CVE-2026-48284: Critical ColdFusion Code Execution Flaw

"Adobe ColdFusion contains a critical improper input validation vulnerability (CVSS 9.6) that allows unauthenticated attackers to execute arbitrary code without user interaction."

Adobe ColdFusion contains a critical improper input validation vulnerability (CVSS 9.6) that allows unauthenticated attackers to execute arbitrary code without user interaction.

What Is It

CVE-2026-48284 is an Improper Input Validation vulnerability (CWE-20) in Adobe ColdFusion. According to Adobe's advisory, the flaw "could result in arbitrary code execution in the context of the current user," and exploitation does not require user interaction. The issue carries a changed scope, meaning a successful attack can affect resources beyond the vulnerable component's security context.

Why It Matters

The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.6 (vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). It requires no privileges and no user interaction, has low attack complexity, and delivers high impact to confidentiality, integrity, and availability. The attack vector is adjacent network (AV:A), so exploitation requires access to the same logical network as the target rather than direct internet reach. Even so, arbitrary code execution on an application server makes this a high-priority patch for any exposed ColdFusion deployment.

What's Vulnerable

Per Adobe's affected-product data:

Patch Status

Adobe has published fixed releases. Updating ColdFusion 2025 to update 11 or ColdFusion 2023 to update 22 remediates the vulnerability. Administrators should apply the corresponding update from Adobe security bulletin APSB26-82. This CVE does not currently appear in the supplied CISA KEV data, so there is no confirmed report of active exploitation in the provided source material.

Sources