Skip to main content

Adobe ColdFusion CVE-2026-47933

| EUVD-2026-35827 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 psirt@adobe.com GHSA-4wgh-wf35-gj87
XSS Coldfusion
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
CVSS changed
Jun 15, 2026 - 15:22 NVD
4.8 (MEDIUM) 5.4 (MEDIUM)
Analysis Generated
Jun 09, 2026 - 21:43 vuln.today

DescriptionNVD

ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

AnalysisAI

Stored XSS in Adobe ColdFusion (2023.x through 2023.19 and 2025.x through 2025.8) enables a low-privileged attacker on an adjacent network to inject persistent malicious JavaScript into vulnerable form fields. When a victim user browses to the page containing the stored payload, the script executes in their browser context, with scope change indicating impact can extend beyond the immediate ColdFusion application - such as session hijacking or unauthorized browser-side actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged ColdFusion account
Delivery
Locate vulnerable form field accepting unsanitized input
Exploit
Submit stored XSS payload via form submission
Install
Payload persists in application data store
C2
Induce privileged victim to browse affected page
Execute
Injected script executes in victim browser
Impact
Exfiltrate session token or perform unauthorized action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold a low-privileged authenticated account on the ColdFusion application (PR:L per CVSS vector - unauthenticated exploitation is not supported by available data). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.8 (Medium) accurately reflects several compounding mitigations: the adjacent-network-only attack vector (AV:A) rules out direct internet exploitation, the low-privilege requirement (PR:L) means attackers need an existing account, and user interaction (UI:R) requires a victim to load the poisoned page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged internal user with a valid ColdFusion account submits a crafted payload - such as a script tag or event handler attribute - into a vulnerable form field accessible from their permission level; the payload is stored server-side without sanitization. When an administrator or higher-privileged user subsequently navigates to the page rendering that stored content, the malicious script executes silently in their browser, potentially exfiltrating session cookies to an attacker-controlled endpoint or performing privileged actions on their behalf. …
Remediation Upgrade Adobe ColdFusion to a version beyond 2023.19 on the 2023 track or beyond 2025.8 on the 2025 track, per Adobe security bulletin APSB26-64 at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47933 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy