HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48315Published Modified CNA adobe

CVE-2026-48315: ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An improper input validation vulnerability in Adobe ColdFusion (versions 2023.20 and earlier, and 2025.9) allows a network-based attacker with no authentication to inject malicious scripts into web pages viewed by victims. The attacker must trick a user into opening a crafted file, after which successful exploitation gives the attacker arbitrary code execution in the victim's session context, with the ability to read sensitive data, tamper with account state, and escalate control beyond the initially targeted component. Because no fix versions have been published, HarborGuard is actively tracking this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-48315 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built ColdFusion images in CI pipelines and registries. Any image found running an affected ColdFusion version surfaces in the findings dashboard immediately.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 (Critical) and weighting it against each environment's compliance policy to determine breach-of-threshold status. Triage routing is available to direct the finding to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published for CVE-2026-48315, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable ColdFusion service must be reachable over the network; an attacker sends a crafted payload from a remote location without needing local access to the host.

  • AuthenticationNot required

    No account or credentials are required on the ColdFusion application before launching the attack.

  • Victim interactionRequired

    A victim must open a malicious file delivered by the attacker, making this a social-engineering-dependent exploit.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond victim interaction.

Blast Radius

  • The attacker executes arbitrary code in the context of the victim user's session, inheriting that user's permissions and access within the ColdFusion application.
  • Stored session tokens, credentials, and customer records rendered in the victim's browser session are exposed to the attacker.
  • The attacker can modify account state, submit authenticated actions, or escalate to elevated roles the victim holds within the application.
  • Scope is changed, meaning impact can extend beyond the vulnerable ColdFusion component to other systems or services the victim's session can reach.

How HarborGuard Handles This

Available on HarborGuard: because Adobe has not yet published a fix for CVE-2026-48315, the recommended immediate action is to use HarborGuard's network-policy controls to restrict inbound access to ColdFusion instances to known, trusted IP ranges, reducing the pool of potential attackers who can deliver the malicious payload to users. Egress filtering rules can be configured to limit what a compromised session can reach, containing lateral movement if exploitation occurs. Feature-flag or WAF-layer controls that restrict file-open interactions on ColdFusion endpoints are also worth evaluating as a compensating control while the advisory remains unpatched. HarborGuard re-checks the Adobe upstream advisory on every ingest cycle; the moment a patched version is published, a rebuilt image becomes available and, for customers with auto-remediation enabled, a regression-tested PR is opened against affected workloads automatically.

See how HarborGuard automates this
Affected packages
  • Adobe / ColdFusion
    ≤ 2023.20
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References