Skip to main content

Adobe ColdFusion EUVD-2026-35829

| CVE-2026-47931 CRITICAL
Improper Input Validation (CWE-20)
2026-06-09 psirt@adobe.com GHSA-jpc9-55w6-65ch
RCE Coldfusion
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable ColdFusion endpoint, low-privilege authenticated user can trigger validation flaw with no UI; code execution crosses the CF sandbox (S:C) giving full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 15, 2026 - 15:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jun 15, 2026 - 15:22 NVD
HIGH CRITICAL
CVSS changed
Jun 15, 2026 - 15:22 NVD
8.4 (HIGH) 9.9 (CRITICAL)
Analysis Generated
Jun 09, 2026 - 21:32 vuln.today

DescriptionNVD

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Arbitrary code execution in Adobe ColdFusion 2023 (up to Update 17/version 2023.19) and ColdFusion 2025 (up to 2025.8) stems from improper input validation (CWE-20) and executes in the context of the current user with a scope change to other components. Adobe PSIRT-reported flaw carries a CVSS 3.1 score of 9.9 but exploitation requires low-privilege authentication (PR:L); no public exploit identified at time of analysis and EPSS is very low at 0.04% (14th percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed ColdFusion 2023/2025 instance
Delivery
Obtain low-privilege CF credentials
Exploit
Send crafted request to vulnerable endpoint
Execution
Bypass input validation (CWE-20)
Persist
Execute arbitrary code with scope change
Impact
Deploy webshell and pivot internally
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires network reachability to the ColdFusion HTTP listener and an authenticated session at low privilege (CVSS PR:L) - for example any application user, sandbox tenant, or CF Administrator account with minimal rights - but no user interaction (UI:N) and low attack complexity (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are conflicting and warrant careful weighting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged ColdFusion account - for example via credential stuffing against a customer portal, a self-registration feature, or a chained authentication bypass - sends a crafted request to a vulnerable CFML or CFC endpoint whose input validation flaw permits attacker-controlled data to reach a code-execution sink. Because Scope:Changed, the resulting code execution can move beyond the originating component (e.g., into the JVM or host context), allowing the attacker to drop a webshell, harvest CF datasources/credentials, and pivot into the internal network. …
Remediation Patch available per vendor advisory: apply the updates referenced in Adobe Security Bulletin APSB26-64 at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html, which supersedes ColdFusion 2023.19 and 2025.8 (consult the bulletin for the exact post-fix build numbers since they are not enumerated in the provided data). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all ColdFusion 2023 (Update 17 or earlier) and 2025 (version 2025.8 or earlier) installations; audit low-privilege user account permissions; enable daily monitoring of authentication logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35829 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy