SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48322 2026-07-14

CVE-2026-48322: Critical Code Injection Flaw in Adobe ColdFusion

"Adobe ColdFusion 2025 and 2023 contain a critical code-injection vulnerability (CVSS 9.6) that lets a low-privileged, network-based attacker run arbitrary code without any user interaction."

Adobe ColdFusion 2025 and 2023 contain a critical code-injection vulnerability (CVSS 9.6) that lets a low-privileged, network-based attacker run arbitrary code without any user interaction.

What Is It

CVE-2026-48322 is an Improper Control of Generation of Code ('Code Injection') vulnerability (CWE-94) in Adobe ColdFusion. According to Adobe's PSIRT advisory, the flaw can result in arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the scope is changed; meaning a successful exploit can affect resources beyond the vulnerable component's security boundary.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.6 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. It is remotely exploitable over the network with low attack complexity and requires only low privileges. Impacts to confidentiality and integrity are rated HIGH. Code execution against a ColdFusion application server, often internet-facing and running business-critical web apps, makes this a high-value target for attackers.

No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.

What's Vulnerable

Per Adobe's affected-version data:

Patch Status

Adobe has published a security advisory (APSB26-82) addressing this issue. The version data indicates fixed releases are available; ColdFusion 2025 update 11 and ColdFusion 2023 update 22 are listed as unaffected. Organizations running affected ColdFusion versions should update to these releases per Adobe's advisory. No CISA KEV required-action or due-date information was supplied.

Sources