Skip to main content

Coldfusion CVE-2026-48332

| EUVDEUVD-2026-44552 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-14 psirt@adobe.com GHSA-qmg7-8pr5-gpf8
7.7
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from Vendor (adobe) · only source for this CVE.

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 21:37 vuln.today
CVE Published
Jul 14, 2026 - 21:16 nvd
HIGH 7.7

DescriptionCVE.org

ColdFusion is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Server-side request forgery in Adobe ColdFusion lets a low-privileged, authenticated attacker coerce the server into issuing crafted outbound requests, bypassing a security control and gaining unauthorized read access to resources the attacker should not reach. The CVSS 3.1 scope-changed vector (S:C, C:H) indicates the impact extends beyond ColdFusion itself to backend or internal systems it can reach. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, identify all ColdFusion servers in your environment and restrict their outbound network access to only essential destinations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-3336 MEDIUM POC
5.0 May 09

Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files

CVE-2026-48282 CRITICAL POC
10.0 Jun 30

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and earlier enables remote, unauthenticated attackers to write or acc

CVE-2016-4264 HIGH POC
8.6 Sep 01

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attack

CVE-2018-15961 CRITICAL POC
9.8 Sep 25

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unr

CVE-2023-26360 HIGH POC
8.6 Mar 23

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Acces

CVE-2025-24447 CRITICAL
9.1 Apr 08

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerabili

CVE-2017-11284 CRITICAL
9.8 Dec 01

Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2017-11283 CRITICAL
9.8 Dec 01

Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-44353 CRITICAL POC
9.8 Nov 17

Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted

CVE-2025-30285 HIGH
8.4 Apr 08

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerabili

CVE-2013-1389 CRITICAL
10.0 May 16

Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 11, 9.0.1 before Update 10, 9.0.2 before Update 5, and 1

CVE-2026-48313 CRITICAL POC
9.3 Jun 30

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets remote attackers (PR:N) read arbitrary

Share

CVE-2026-48332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy