Skip to main content

Adobe ColdFusion EUVD-2026-35828

| CVE-2026-47930 HIGH
Improper Input Validation (CWE-20)
2026-06-09 psirt@adobe.com GHSA-w3fv-q97h-6qqh
Authentication Bypass Coldfusion
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 21:31 vuln.today

DescriptionNVD

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction.

AnalysisAI

Security feature bypass in Adobe ColdFusion 2023.19, 2025.8 and earlier allows a low-privileged remote attacker to circumvent authentication controls and gain unauthorized read and write access to protected resources. The flaw stems from improper input validation (CWE-20) and is network-exploitable without user interaction, earning a CVSS 8.1 rating. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed ColdFusion instance
Delivery
Obtain low-privilege credentials
Exploit
Send crafted request bypassing input validation
Execution
Abuse bypass for unauthorized read/write
Persist
Exfiltrate data or upload CFML payload
Impact
Escalate to code execution and persist
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must have network reachability to the ColdFusion server's HTTP/HTTPS listener and must already possess low-privileged authenticated access to the ColdFusion application (CVSS PR:L), which in practice means any valid account on the ColdFusion Administrator, an application user with a ColdFusion-backed session, or an API token. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high impact on confidentiality and integrity but none on availability - consistent with an authorization bypass that grants illicit data access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or registered a low-privilege ColdFusion account - for example via a developer portal, a compromised internal user, or weak/default credentials - sends a crafted HTTP request to a ColdFusion endpoint that fails to properly validate input on an authorization check. The server treats the malformed input as bypassing the access control, and the attacker reads sensitive files or data and writes attacker-controlled content back to the server, which on ColdFusion frequently escalates to remote code execution via uploaded CFML templates. …
Remediation Apply the patched ColdFusion updates referenced in Adobe Security Bulletin APSB26-64 (https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html); the exact fixed update numbers were not included in the supplied data, so administrators must consult that advisory for the precise versions for the 2023 and 2025 trains. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running Adobe ColdFusion 2023.19, 2025.8, and earlier versions; enable detailed logging of authentication events and resource access; restrict network access to ColdFusion instances to trusted internal networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35828 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy