HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48276Published Modified CNA adobe

CVE-2026-48276: ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unrestricted file upload vulnerability in Adobe ColdFusion (versions 2023.20 and earlier, and 2025.9 and earlier) allows a remote, unauthenticated attacker to upload arbitrary files, including executable scripts, directly to the server. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C) confirms the service is reachable over the network with no authentication or victim interaction required, and the changed scope means a successful exploit can break out of the application context into the broader host environment. Successful exploitation gives the attacker full remote code execution, plus complete read, write, and availability control over the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-48276 is available across every HarborGuard environment, with ingestion from upstream advisory feeds within minutes of publication and automatic matching against all customer-registry images, including custom-built ColdFusion images. Any image found to ship an affected ColdFusion version (2023.20 or earlier, or 2025.9 or earlier) is flagged immediately in the pipeline scan results.

Available
Triage

Triage is available with the full CVSS v3.1 score of 10.0 (Critical) surfaced alongside per-environment compliance policy weighting, so teams can calibrate urgency against their own risk thresholds. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules for the affected image or workload.

Available
Patch

Because no upstream fix has been published by Adobe, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated ColdFusion release appears. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without any manual intervention required.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable ColdFusion endpoint is exposed over the network; an attacker must be able to reach it via HTTP/HTTPS from any internet or internal network position.

  • AuthenticationNot required

    No account, session token, or credential of any kind is needed; the upload endpoint accepts unauthenticated requests.

  • Victim interactionNot required

    Exploitation is fully server-side; no user action such as clicking a link or opening a file is required.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental preconditions.

Blast Radius

  • The attacker uploads and executes arbitrary server-side code, achieving full remote code execution in the ColdFusion process context.
  • All data readable by the ColdFusion process is exposed, including database credentials, session tokens, configuration files, and application data.
  • The attacker can write, overwrite, or delete any file accessible to the ColdFusion process, including application code and operating-system files.
  • Because scope is changed, the attacker can pivot beyond the ColdFusion application boundary to affect other services and resources on the host or adjacent systems.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Adobe advisory for CVE-2026-48276 on every ingest cycle, with automatic detection of affected ColdFusion images across all customer registries and CI pipelines. Because Adobe has not yet published a fix, no patched rebuild is currently available, but HarborGuard will trigger the rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix version is released. In the interim, compensating controls worth evaluating include network-policy isolation to restrict inbound access to the ColdFusion file-upload endpoint to known-good source ranges, egress filtering to limit outbound connections the process can make if code is executed, and disabling or gating any file-upload feature flags within the application configuration until a vendor patch is available. The CRITICAL (10.0) score warrants treating this as a highest-priority item in your vulnerability backlog.

See how HarborGuard automates this
Affected packages
  • Adobe / ColdFusion
    ≤ 2023.20
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References