Skip to main content

Adobe ColdFusion CVE-2026-47928

| EUVD-2026-35830 CRITICAL
Improper Input Validation (CWE-20)
2026-06-09 psirt@adobe.com GHSA-xq2f-wvpp-9qrx
RCE Coldfusion
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Description confirms network-reachable RCE with no user interaction and explicit scope change; improper input validation in a default-listening web component implies PR:N and AC:L with total CIA impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jun 15, 2026 - 15:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 15:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jun 15, 2026 - 15:22 NVD
9.6 (CRITICAL) 10.0 (CRITICAL)
Analysis Generated
Jun 09, 2026 - 21:30 vuln.today

DescriptionNVD

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Remote code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and ColdFusion 2025 (Update 8 and earlier) allows unauthenticated network attackers to execute arbitrary code in the context of the current user without any user interaction, with a scope change extending impact beyond the vulnerable component. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS 3.1 score of 10.0, though EPSS exploitation probability is currently only 0.04% (11th percentile) and SSVC reports no observed exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed ColdFusion endpoint
Delivery
Craft malicious HTTP request with unvalidated input
Exploit
Send request to vulnerable handler
Execution
Trigger improper input validation flaw
Persist
Execute arbitrary code as ColdFusion service account
Impact
Leverage scope change to access adjacent resources
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Adobe ColdFusion 2023 (≤Update 17) and ColdFusion 2025 (≤Update 8), with no user interaction required per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) describes the worst realistic profile - network-reachable, low complexity, no privileges, no user interaction, with a scope change - which is why the base score is 10.0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet sends a single crafted HTTP request to an exposed ColdFusion 2023 or 2025 endpoint containing input that bypasses validation and is processed by a sensitive component, causing the server to execute attacker-supplied code as the ColdFusion service account. Because Scope is Changed, the attacker can then pivot to read application secrets, datasource credentials, or files belonging to other tenants/applications on the same host. …
Remediation Patch available per vendor advisory - apply the updates referenced in Adobe Security Bulletin APSB26-64 (https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html), which supersedes ColdFusion 2023 Update 17 and ColdFusion 2025 Update 8; the exact fixed build numbers should be taken directly from that bulletin rather than inferred. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all ColdFusion deployments; identify systems running ColdFusion 2023 (Update 17 or earlier) or ColdFusion 2025 (Update 8 or earlier). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47928 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy