HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48281Published Modified CNA adobe

CVE-2026-48281: ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Improper input validation in Adobe ColdFusion (versions 2023.20 and earlier, and 2025.9) allows a remote, unauthenticated attacker to execute arbitrary code on the server. The flaw is reachable over the network with no credentials and no victim interaction required, and the changed scope means the attacker can break out of the ColdFusion process and affect other components on the host. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package ColdFusion. Any image containing an affected version of ColdFusion (at or below 2023.20) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 10.0 (Critical) and applies per-environment compliance policy weighting to determine urgency routing. Findings are surfaced to the appropriate team inbox within each customer organization based on their configured policy, with Critical-severity issues prioritized to the top of the remediation queue.

Available
Patch

Because no fix version has been published by Adobe, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable ColdFusion service must be reachable over the network; an attacker can send a malicious request from any internet-accessible position without needing LAN or physical proximity.

  • AuthenticationNot required

    No credentials of any privilege level are needed; the exploit works against an unauthenticated endpoint.

  • Victim interactionNot required

    The attacker does not need to trick any user into taking an action; the exploit is entirely server-side.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental setup.

Blast Radius

  • Attacker executes arbitrary code in the context of the ColdFusion server process, with the ability to run OS commands, install backdoors, or exfiltrate data.
  • Because scope is changed, the attacker can pivot beyond the ColdFusion process and read or tamper with other services, files, or credentials on the underlying host.
  • All data accessible to the ColdFusion application, including session tokens, database credentials, and customer records, is exposed for reading.
  • The attacker can modify or delete persisted application data and crash or indefinitely disrupt the ColdFusion service and dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: because Adobe has not yet published a fix for this Critical-severity vulnerability, HarborGuard continuously re-checks the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth evaluating include placing ColdFusion instances behind a network policy that restricts inbound access to known, trusted IP ranges; enabling egress filtering to limit outbound connections from the ColdFusion container; and disabling any non-essential ColdFusion features or remote administration endpoints through feature-flag or configuration controls. HarborGuard will surface this CVE at Critical priority in the findings queue for any image containing an affected version, and will push a notification as soon as upstream patch availability changes.

See how HarborGuard automates this
Affected packages
  • Adobe / ColdFusion
    ≤ 2023.20
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References