A critical SQL injection vulnerability in Adobe ColdFusion can lead to arbitrary code execution in the context of the current user, with no user interaction required.
What Is It
CVE-2026-48324 is an Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability (CWE-89) affecting Adobe ColdFusion. According to Adobe's advisory, successful exploitation could result in arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning the impact can extend beyond the initially vulnerable component. It carries a CVSS 3.1 base score of 9.1 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.
Why It Matters
The flaw is network-exploitable with low attack complexity and no user interaction, and it delivers high impact across confidentiality, integrity, and availability. Because the scope is changed and the outcome is arbitrary code execution, an attacker who succeeds can move beyond the database layer into the surrounding application context. The one mitigating factor reflected in the vector is that high privileges are required (PR:H), which somewhat constrains who can trigger it. ColdFusion servers are frequently internet-facing application platforms, making critical flaws in the product a recurring, high-value target.
What's Vulnerable
Per Adobe's affected-product data:
- ColdFusion 2025: versions 0 through 10 are affected; version 11 is unaffected.
- ColdFusion 2023: versions 0 through 21 are affected; version 22 is unaffected.
Patch Status
Adobe has published security bulletin APSB26-82 addressing this issue. The affected-version data indicates fixed builds are available: ColdFusion 2025 version 11 and ColdFusion 2023 version 22 are listed as unaffected. Administrators running earlier updates of ColdFusion 2025 or 2023 should upgrade to these fixed releases. This CVE is not present in the supplied CISA KEV data, so there is no confirmation of active exploitation from that source at this time. The NVD record was published on 2026-07-14 with a status of "Received."
Sources
- Adobe Security Bulletin APSB26-82; https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html
- NVD, CVE-2026-48324, https://nvd.nist.gov/vuln/detail/CVE-2026-48324