DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48276: CVE-2026-48276: Unrestricted File Upload in Adobe ColdFusion

CVE-2026-48276: Unrestricted File Upload in Adobe ColdFusion

Vulnerability ID: CVE-2026-48276
CVSS Score: 10.0
Published: 2026-06-30

Adobe ColdFusion versions 2025.9 and 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434). An unauthenticated remote attacker can exploit this flaw to upload malicious ColdFusion Markup Language (CFML) files directly into web-accessible directories. Accessing the uploaded script triggers arbitrary code execution in the security context of the running service account.

TL;DR

A critical-severity unrestricted file upload vulnerability in Adobe ColdFusion allows unauthenticated remote attackers to execute arbitrary system commands via crafted web scripts.


Technical Details

  • CWE ID: CWE-434
  • Attack Vector: Network (AV:N)
  • CVSS Score: 10.0 (Critical)
  • Exploit Status: No public exploits currently documented
  • KEV Status: Not listed in CISA KEV catalog
  • Impact: Unauthenticated Remote Code Execution

Affected Systems

  • Adobe ColdFusion 2023
  • Adobe ColdFusion 2025

Mitigation Strategies

  • Deploy official security hotfixes from Adobe immediately.
  • Implement strict web-server level execute permission restrictions on all upload directories.
  • Configure the ColdFusion application runtime to execute under a dedicated low-privilege service account.

Remediation Steps:

  1. Audit all corporate networks to locate active ColdFusion 2023 and 2025 deployments.
  2. For ColdFusion 2025 instances, apply Update 10 or later.
  3. For ColdFusion 2023 instances, apply Update 21 or later.
  4. Confirm patch application by reviewing the active updates tab in the ColdFusion Administrator console.
  5. Configure web server execution maps to prevent execution of server-side files within writable storage directories.

References


Read the full report for CVE-2026-48276 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)