What is the CVSS score of CVE-2026-47929?

CVE-2026-47929 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Adobe ColdFusion are affected by CVE-2026-47929?

Adobe ColdFusion versions 2023 (Update 17 and earlier) and 2025 (Update 8 and earlier) contain a critical authorization flaw (CVSS 9.1) enabling privilege escalation and arbitrary code execution.

How to fix or mitigate CVE-2026-47929?

24 hours: Inventory all ColdFusion 2023 and 2025 installations to identify affected versions (≤Update 17 for 2023, ≤Update 8 for 2025). Review Adobe security bulletin APSB26-64 for patch details and deployment procedures. 7 days: Apply vendor patch to all affected systems; restrict administrative access during remediation. 30 days: Verify patch deployment across all systems; audit access controls and administrative functions post-remediation.

Adobe ColdFusion CVE-2026-47929

EUVD-2026-35833 CRITICAL

Incorrect Authorization (CWE-863)

2026-06-09 psirt@adobe.com

GHSA-f6w2-335h-mp8w

Authentication Bypass RCE Coldfusion

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

vuln.today AI

9.1 CRITICAL

Description states high-privileged remote attacker with no user interaction, scope changes to total impact via arbitrary code execution, so PR:H, S:C, C/I/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Jun 15, 2026 - 15:30 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 15, 2026 - 15:30 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 15, 2026 - 15:22 vuln.today

cvss_changed

Severity Changed

Jun 15, 2026 - 15:22 NVD

HIGH CRITICAL

CVSS changed

Jun 15, 2026 - 15:22 NVD

8.4 (HIGH) 9.1 (CRITICAL)

Analysis Generated

Jun 09, 2026 - 21:30 vuln.today

DescriptionNVD

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Privilege escalation and arbitrary code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and 2025 (Update 8 and earlier) allows a high-privileged remote attacker to bypass authorization controls and execute code in the context of the current user. The flaw is a CWE-863 incorrect-authorization issue with a scope change, raising CVSS to 9.1, but no public exploit identified at time of analysis and EPSS is low (0.02%, 6th percentile). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain high-privileged ColdFusion credentials

Delivery

Reach affected admin functionality over network

Exploit

Invoke endpoint with broken authorization check

Execution

Cross authorization scope (S:C)

Persist

Execute arbitrary code as ColdFusion user

Impact

Pivot to host and persist

Access

Obtain high-privileged ColdFusion credentials

Delivery

Reach affected admin functionality over network

Exploit

Invoke endpoint with broken authorization check

Execution

Cross authorization scope (S:C)

Persist

Execute arbitrary code as ColdFusion user

Impact

Pivot to host and persist

Vulnerability AssessmentAI

Exploitation	Requires an authenticated, high-privileged ColdFusion principal (CVSS PR:H) - i.e., access at the level of a ColdFusion administrator or equivalently privileged role - reachable over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed and worth reconciling. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has already obtained high-privileged ColdFusion credentials (for example, via credential reuse, a prior compromise, or a phished administrator) authenticates to the server and invokes the affected functionality, where the broken authorization check fails to constrain the action to its intended scope. Because S:C, the attacker's action breaks out of the authorization context and executes arbitrary code under the running ColdFusion user, yielding host-level command execution; no user interaction is needed and no public exploit identified at time of analysis.
Remediation	Apply the vendor-released patch from Adobe Security Bulletin APSB26-64 (https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html) by upgrading ColdFusion 2023 beyond Update 17 (2023.19) and ColdFusion 2025 beyond Update 8 to the Adobe-published fixed updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all ColdFusion 2023 and 2025 installations to identify affected versions (≤Update 17 for 2023, ≤Update 8 for 2025). …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-47929 vulnerability details – vuln.today

Back

Adobe ColdFusion CVE-2026-47929

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code