CVE-2026-48276: Unrestricted File Upload in Adobe ColdFusion
Vulnerability ID: CVE-2026-48276
CVSS Score: 10.0
Published: 2026-06-30
Adobe ColdFusion versions 2025.9 and 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434). An unauthenticated remote attacker can exploit this flaw to upload malicious ColdFusion Markup Language (CFML) files directly into web-accessible directories. Accessing the uploaded script triggers arbitrary code execution in the security context of the running service account.
TL;DR
A critical-severity unrestricted file upload vulnerability in Adobe ColdFusion allows unauthenticated remote attackers to execute arbitrary system commands via crafted web scripts.
Technical Details
- CWE ID: CWE-434
- Attack Vector: Network (AV:N)
- CVSS Score: 10.0 (Critical)
- Exploit Status: No public exploits currently documented
- KEV Status: Not listed in CISA KEV catalog
- Impact: Unauthenticated Remote Code Execution
Affected Systems
- Adobe ColdFusion 2023
- Adobe ColdFusion 2025
Mitigation Strategies
- Deploy official security hotfixes from Adobe immediately.
- Implement strict web-server level execute permission restrictions on all upload directories.
- Configure the ColdFusion application runtime to execute under a dedicated low-privilege service account.
Remediation Steps:
- Audit all corporate networks to locate active ColdFusion 2023 and 2025 deployments.
- For ColdFusion 2025 instances, apply Update 10 or later.
- For ColdFusion 2023 instances, apply Update 21 or later.
- Confirm patch application by reviewing the active updates tab in the ColdFusion Administrator console.
- Configure web server execution maps to prevent execution of server-side files within writable storage directories.
References
- Official Adobe Security Advisory (APSB26-68)
- CVE-2026-48276 Record on CVE.org
- Wiz Vulnerability Database Details
Read the full report for CVE-2026-48276 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)