Adobe ColdFusion 2025 and 2023 contain a critical code-injection vulnerability (CVSS 9.6) that lets a low-privileged, network-based attacker run arbitrary code without any user interaction.
What Is It
CVE-2026-48322 is an Improper Control of Generation of Code ('Code Injection') vulnerability (CWE-94) in Adobe ColdFusion. According to Adobe's PSIRT advisory, the flaw can result in arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the scope is changed; meaning a successful exploit can affect resources beyond the vulnerable component's security boundary.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.6 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. It is remotely exploitable over the network with low attack complexity and requires only low privileges. Impacts to confidentiality and integrity are rated HIGH. Code execution against a ColdFusion application server, often internet-facing and running business-critical web apps, makes this a high-value target for attackers.
No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.
What's Vulnerable
Per Adobe's affected-version data:
- ColdFusion 2025: version 10 and earlier are affected; version 11 is unaffected.
- ColdFusion 2023: version 21 and earlier are affected; version 22 is unaffected.
Patch Status
Adobe has published a security advisory (APSB26-82) addressing this issue. The version data indicates fixed releases are available; ColdFusion 2025 update 11 and ColdFusion 2023 update 22 are listed as unaffected. Organizations running affected ColdFusion versions should update to these releases per Adobe's advisory. No CISA KEV required-action or due-date information was supplied.
Sources
- Adobe Security Bulletin APSB26-82; https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html
- NVD, CVE-2026-48322, https://nvd.nist.gov/vuln/detail/CVE-2026-48322