Adobe ColdFusion Vulnerabilities Reach CVSS 10 With Arbitrary Code Execution

TL;DR

Adobe shipped fixes for 11 Adobe ColdFusion vulnerabilities on 30 June 2026. Six earn a perfect CVSS score of 10.0 and allow arbitrary code execution. Adobe rates the update priority 1, its most urgent tier. The company reports no exploits in the wild.

Why It Matters

ColdFusion servers often sit on the public internet. So attackers scan them for fresh bugs fast. Several of these Adobe ColdFusion vulnerabilities need no login and little skill. An unauthenticated attacker could run code and seize the server. Past ColdFusion flaws drew rapid exploitation, which raises the stakes here.

How the Attacks Work

Adobe groups the flaws by root cause. Two stem from unrestricted file upload (CVE-2026-48276, CVE-2026-48283), which lets an attacker drop a dangerous file. Several trace to improper input validation (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316). Others involve path traversal (CVE-2026-48282) that escapes the intended directory. Each path can end in arbitrary code execution. Six of the eleven flaws carry the maximum CVSS 10.0 score.

Beyond code execution

The advisory also lists other critical issues. CVE-2026-48313 allows an arbitrary file system read at CVSS 9.3. CVE-2026-48315 enables privilege escalation. CVE-2026-48285 is an SSRF that bypasses a security feature. One reflected XSS bug, CVE-2026-48307, also reaches code execution.

Affected Versions

The flaws hit ColdFusion 2025 Update 9 and earlier. They also affect ColdFusion 2023 Update 20 and earlier. Both editions need the new builds. Adobe lists only the 2025 and 2023 lines, so users on older releases should migrate to a supported version.

Patch and Mitigation

Adobe fixed the issues in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. So apply the update without delay. You can review the full list in the official Adobe ColdFusion security bulletin. Adobe also advises restricting the ColdFusion service account and applying its lockdown guides. These Adobe ColdFusion vulnerabilities deserve same-day patching, given the CVSS 10.0 ratings.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.