SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48327 2026-07-14

CVE-2026-48327: Critical ColdFusion Authorization Flaw Enables Remote Code Execution

"Adobe ColdFusion 2025 and 2023 contain a critical incorrect authorization vulnerability that can lead to arbitrary code execution without user interaction."

Adobe ColdFusion 2025 and 2023 contain a critical incorrect authorization vulnerability that can lead to arbitrary code execution without user interaction.

What Is It

CVE-2026-48327 is an Incorrect Authorization vulnerability (CWE-863) in Adobe ColdFusion. According to Adobe's advisory, the flaw "could result in arbitrary code execution in the context of the current user." Exploitation does not require user interaction, and the vulnerability carries a changed scope; meaning a successful attack can affect resources beyond the initially vulnerable component.

The issue is rated CRITICAL with a CVSS 3.1 base score of 9.0 (vector: AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The attack vector is adjacent network, attack complexity is low, and only low privileges are required. Confidentiality, integrity, and availability impacts are all rated High.

Why It Matters

ColdFusion is a widely deployed application server, and code execution flaws in it have historically been attractive targets. With a 9.0 severity score, no user interaction required, and a changed scope allowing impact to spread beyond the vulnerable component, this vulnerability poses a serious risk to affected environments. An attacker with low privileges on an adjacent network could fully compromise confidentiality, integrity, and availability.

The supplied CISA KEV entry is empty, so there is no confirmation of active exploitation in the wild at this time based on the provided source material.

What's Vulnerable

Per Adobe's affected-products data:

Patch Status

Adobe has published a security advisory (APSB26-82) addressing this vulnerability. Fixed releases are available: ColdFusion 2025 update 11 and ColdFusion 2023 update 22 resolve the issue. Administrators running affected versions should upgrade to these patched releases. No CISA KEV required-action or due-date information was provided in the source material.

Sources