How is CVE-2026-47930 exploited?

Network reachability (required): The attacker must reach the ColdFusion service over the network; the vulnerable component is network-exposed (AV:N). Authentication (required): Any low-privilege account is sufficient; the attacker does not need administrative credentials (PR:L). Victim interaction (not-required): Exploitation proceeds without any action from a logged-in user or administrator (UI:N). Attack complexity (info): No special conditions, race conditions, or unusual environmental factors are needed; the exploit is reliable and repeatable (AC:L).

What is the impact of CVE-2026-47930?

A successful attacker reads data protected by the bypassed security controls, including application data and potentially session or credential material. A successful attacker writes to or modifies protected resources, enabling data tampering or injection of malicious content. The bypass nature of the vulnerability means it can serve as a stepping stone to chain with other vulnerabilities that require higher privilege.

Back to search

HIGHCVE-2026-47930Published 2026-06-09Modified 2026-06-11CNA adobe

CVE-2026-47930: ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Improper input validation in Adobe ColdFusion (versions 2023.19, 2025.8 and earlier) allows a network-accessible attacker with a low-privilege account to bypass security controls. The vulnerability is reachable over the network without any victim interaction, and successful exploitation grants unauthorized read and write access to protected resources. No fix version has been published yet; HarborGuard tracks the advisory and will surface patch availability as soon as Adobe releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built ColdFusion images in private registries and CI pipelines. Any image found running an affected ColdFusion version (2023.19, 2025.8 or earlier) is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting that score against each environment's compliance policy to prioritize it appropriately. Triage notifications are routable to the correct team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published by Adobe, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation and egress filtering can be surfaced through HarborGuard's policy recommendations for affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ColdFusion service over the network; the vulnerable component is network-exposed (AV:N).
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials (PR:L).
Victim interactionNot required
Exploitation proceeds without any action from a logged-in user or administrator (UI:N).
Attack complexityDetail
No special conditions, race conditions, or unusual environmental factors are needed; the exploit is reliable and repeatable (AC:L).

Blast Radius

A successful attacker reads data protected by the bypassed security controls, including application data and potentially session or credential material.
A successful attacker writes to or modifies protected resources, enabling data tampering or injection of malicious content.
The bypass nature of the vulnerability means it can serve as a stepping stone to chain with other vulnerabilities that require higher privilege.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images on every scan cycle, and any environment running an affected ColdFusion version receives a HIGH-severity finding routed according to that org's compliance policy. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard monitors the advisory on each ingest cycle and will automatically make a rebuild available the moment Adobe ships a patched release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention. While no upstream fix exists, HarborGuard's policy engine can recommend compensating controls including network-policy isolation to restrict inbound access to ColdFusion endpoints, egress filtering to limit lateral movement if the service is compromised, and feature-flag or WAF rule gating where the application stack supports it.

See how HarborGuard automates this

Affected packages

Adobe / ColdFusion
≤ 2025.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

helpx.adobe.com

Metrics

Get notified