Adobe ColdFusion contains a critical improper input validation vulnerability (CVSS 9.6) that allows unauthenticated attackers to execute arbitrary code without user interaction.
What Is It
CVE-2026-48284 is an Improper Input Validation vulnerability (CWE-20) in Adobe ColdFusion. According to Adobe's advisory, the flaw "could result in arbitrary code execution in the context of the current user," and exploitation does not require user interaction. The issue carries a changed scope, meaning a successful attack can affect resources beyond the vulnerable component's security context.
Why It Matters
The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.6 (vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). It requires no privileges and no user interaction, has low attack complexity, and delivers high impact to confidentiality, integrity, and availability. The attack vector is adjacent network (AV:A), so exploitation requires access to the same logical network as the target rather than direct internet reach. Even so, arbitrary code execution on an application server makes this a high-priority patch for any exposed ColdFusion deployment.
What's Vulnerable
Per Adobe's affected-product data:
- ColdFusion 2025: versions up to and including update 10 are affected; update 11 is unaffected.
- ColdFusion 2023: versions up to and including update 21 are affected; update 22 is unaffected.
Patch Status
Adobe has published fixed releases. Updating ColdFusion 2025 to update 11 or ColdFusion 2023 to update 22 remediates the vulnerability. Administrators should apply the corresponding update from Adobe security bulletin APSB26-82. This CVE does not currently appear in the supplied CISA KEV data, so there is no confirmed report of active exploitation in the provided source material.
Sources
- Adobe Security Bulletin APSB26-82; https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html
- NVD: CVE-2026-48284; https://nvd.nist.gov/vuln/detail/CVE-2026-48284