Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Remote unauthenticated file upload yielding code execution with no interaction; scope changes as code escapes the app into the host, so full C/I/A High.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
AnalysisAI
Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote attacker upload a file of a dangerous type (e.g., a CFML/JSP payload) and execute it in the context of the current user, with no user interaction required. The CVSS 3.1 base score is the maximum 10.0 with a changed scope, reflecting that successful exploitation breaches the ColdFusion process boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The required primitive is reachability of a ColdFusion file-upload pathway that fails to restrict dangerous file types (CWE-434) on versions 2025.9 / 2023.20 or earlier; the attacker must be able to write an interpretable script and then cause the server to execute it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Every CVSS 3.1 metric points to worst-case exploitability: AV:N (network), AC:L (low complexity), PR:N (no privileges), UI:N (no interaction), and S:C (scope change) with C:H/I:H/A:H, yielding the maximum 10.0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reaches an internet-facing ColdFusion instance and sends a crafted HTTP request that uploads a malicious CFML script to a location the server will execute, then requests that file to trigger code execution as the ColdFusion service account - all without authentication prompts or user interaction. With a changed scope and full CIA impact, the attacker can pivot to host-level access and deploy a webshell. … |
| Remediation | Apply the security update referenced in Adobe advisory APSB26-68 (https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html): upgrade to the patched update level above ColdFusion 2025.9 and 2023.20 - Patch available per vendor advisory, exact patched build numbers not enumerated in the input, so confirm the version directly from APSB26-68 before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all ColdFusion instances and affected versions; identify and restrict network access to external-facing deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Coldfusion
View allUnspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files
Path traversal in Adobe ColdFusion 2025.9, 2023.20 and earlier enables remote, unauthenticated attackers to write or acc
The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attack
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unr
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Acces
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerabili
Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerabi
Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerabi
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerabili
Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 11, 9.0.1 before Update 10, 9.0.2 before Update 5, and 1
Path traversal in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets remote attackers (PR:N) read arbitrary
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40340
GHSA-fvm7-fwcr-42hp