Skip to main content

Coldfusion EUVD-2026-22734

| CVE-2026-27306 HIGH
Improper Input Validation (CWE-20)
2026-04-14 psirt@adobe.com
RCE Coldfusion
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 22:40 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22734
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 8.4

DescriptionCVE.org

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe ColdFusion 2023.18, 2025.6 and earlier allows authenticated attackers with high privileges to execute malicious code through improper input validation. Exploitation requires user interaction (victim opening a malicious file). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain high-privilege credentials
Delivery
Access adjacent network segment
Exploit
Craft malicious ColdFusion file
Install
Social engineer admin to process file
C2
Trigger input validation flaw
Execute
Execute arbitrary code with scope change
Impact
Achieve full system compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Adobe ColdFusion 2023.18, 2025.6 and earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate despite the 8.4 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised administrative credentials for a ColdFusion server (through phishing, credential stuffing, or prior exploitation) crafts a malicious ColdFusion template or configuration file. The attacker either directly uploads this file through administrative interfaces or social engineers a legitimate ColdFusion administrator into opening/importing the malicious file. …
Remediation Apply Adobe's security updates immediately by upgrading to the patched versions specified in APSB26-38. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all ColdFusion 2023.18 and 2025.6 instances in your environment and document users with high-privilege accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-22734 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy