What is the CVSS score of EUVD-2026-22728?

EUVD-2026-22728 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.2%.

Which versions of Coldfusion are affected by EUVD-2026-22728?

A security feature bypass vulnerability in Adobe ColdFusion 2023.18, 2025.6, and earlier (CVSS 7.5) allows unauthenticated remote attackers to circumvent access controls and gain unauthorized access…

How to fix or mitigate EUVD-2026-22728?

Within 24 hours: Inventory all ColdFusion deployments and identify instances running versions 2023.18, 2025.6, or earlier. Within 7 days: Implement network-level access controls to restrict ColdFusion application access to trusted sources only; enable comprehensive logging on all ColdFusion instances. Within 30 days: Engage Adobe support for patch availability timeline and evaluate upgrade feasibility to ColdFusion 2025.7 or later once released; conduct access control audit to identify and revoke any unauthorized access.

Coldfusion EUVD-2026-22728

| CVE-2026-27282 HIGH

Improper Input Validation (CWE-20)

2026-04-14 psirt@adobe.com

GHSA-rfcg-4cq5-pfmm

Authentication Bypass Coldfusion

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 14:52 vuln.today

cvss_changed

Analysis Generated

Apr 14, 2026 - 22:40 vuln.today

EUVD ID Assigned

Apr 14, 2026 - 22:22 euvd

EUVD-2026-22728

Analysis Generated

Apr 14, 2026 - 22:22 vuln.today

CVE Published

Apr 14, 2026 - 22:16 nvd

HIGH 7.5

DescriptionCVE.org

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.

AnalysisAI

Security feature bypass in Adobe ColdFusion 2023.18, 2025.6, and earlier allows remote unauthenticated attackers to circumvent security controls via improper input validation, potentially enabling unauthorized access to protected resources. The vulnerability carries a CVSS score of 7.5 with high integrity impact, though exploitation reportedly requires user interaction per the description. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed ColdFusion endpoint

Delivery

Craft malicious input bypassing validation

Exploit

Submit authentication bypass payload

Execution

Gain unauthorized administrative access

Impact

Modify configurations or data

Access

Identify exposed ColdFusion endpoint

Delivery

Craft malicious input bypassing validation

Exploit

Submit authentication bypass payload

Execution

Gain unauthorized administrative access

Impact

Modify configurations or data

Vulnerability AssessmentAI

Exploitation	ColdFusion 2023.18, 2025.6 and earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-accessible exploitation with low complexity requiring no privileges or user interaction from the CVSS perspective, yet the description states user interaction is required-this discrepancy suggests the UI:N vector may be incorrect or the description refers to administrative interaction rather than victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated remote attacker identifies a publicly accessible Adobe ColdFusion application server and crafts specially formatted HTTP requests with malicious input parameters designed to exploit the input validation weakness in the security enforcement layer. By submitting payloads that bypass authentication or authorization checks, the attacker gains unauthorized access to administrative interfaces or protected application functionality without providing valid credentials. …
Remediation	Apply the vendor-released security updates documented in Adobe Security Bulletin APSB26-38 available at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ColdFusion deployments and identify instances running versions 2023.18, 2025.6, or earlier. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-22728 vulnerability details – vuln.today

Back

Coldfusion EUVD-2026-22728

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code