Skip to main content

Coldfusion EUVD-2026-22736

| CVE-2026-27307 LOW
Uncontrolled Resource Consumption (CWE-400)
2026-04-14 psirt@adobe.com
Denial Of Service Coldfusion
2.4
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.4 LOW
AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 22:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22736
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
LOW 2.4

DescriptionCVE.org

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of this issue does not require user interaction.

AnalysisAI

ColdFusion versions 2023.18, 2025.6 and earlier are vulnerable to uncontrolled resource consumption that allows high-privileged attackers to trigger denial-of-service by exhausting system resources without user interaction. The CVSS score of 2.4 reflects low severity due to the high-privilege requirement (PR:H), though the attack vector is adjacent network access and does not require authentication once the attacker has elevated privileges.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege account credentials
Delivery
Access ColdFusion administration interface
Exploit
Trigger resource exhaustion via crafted request
Execution
Exhaust system resources
Impact
Degrade application availability
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment Despite the CVSS score of 2.4, real-world risk is constrained by the PR:H requirement, which limits the attacker pool to administrators or system operators with high-privilege credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A disgruntled administrator or an attacker who has compromised a ColdFusion admin account uses the high-privileged access to trigger a resource exhaustion condition-for example, by initiating a long-running operation or crafted request that consumes excessive CPU or memory. This gradually degrades application responsiveness for all users without triggering alarms tied to explicit errors or security events. …
Remediation Apply the security update referenced in Adobe Security Advisory APSB26-38 (https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-22736 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy