Adobe ColdFusion Bug Lets Hackers Get Full Server Control
Adobe has released an emergency security bulletin, APSB26-68, addressing 11 vulnerabilities in Adobe ColdFusion 2025 and ColdFusion 2023, with multiple flaws receiving the maximum CVSS base score of 10.0.
Published on June 30, 2026, the bulletin carries Adobe’s highest Priority Rating of 1, signaling that these vulnerabilities are either actively targeted or pose an extremely high risk of exploitation.
Adobe strongly urges all affected users to apply available patches immediately. The company states it is currently unaware of any in-the-wild exploitation of these issues, but the severity profile leaves little room for delay.
Adobe ColdFusion Flaws
The vulnerabilities can lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass, effectively granting a remote, unauthenticated attacker complete control over a vulnerable ColdFusion server.
Affected versions include ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier, across all supported platforms. Adobe has resolved these issues in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, both of which are now available for download.
Six vulnerabilities carry the maximum severity score:
| CVE ID | Vulnerability Type (CWE) | CVSS Score | Impact | Severity |
|---|---|---|---|---|
| CVE-2026-48276 | Unrestricted File Upload (CWE-434) | 10.0 | Arbitrary code execution | Critical |
| CVE-2026-48283 | Unrestricted File Upload (CWE-434) | 10.0 | Arbitrary code execution | Critical |
| CVE-2026-48277 | Improper Input Validation (CWE-20) | 10.0 | Arbitrary code execution | Critical |
| CVE-2026-48281 | Improper Input Validation (CWE-20) | 10.0 | Arbitrary code execution | Critical |
| CVE-2026-48316 | Improper Input Validation (CWE-20) | 10.0 | Arbitrary code execution | Critical |
| CVE-2026-48282 | Path Traversal (CWE-22) | 10.0 | Remote code execution | Critical |
| CVE-2026-48313 | Improper Input Validation (CWE-20) | 9.3 | Privilege escalation | Critical |
| CVE-2026-48315 | Reflected XSS (CWE-79) | 8.8 | Arbitrary code execution | Critical |
| CVE-2026-48307 | Server-Side Request Forgery (CWE-918) | 8.6 | Security feature bypass | Critical |
| CVE-2026-48314 | Path Traversal (CWE-22) | 6.5 | Privilege escalation | Important |
Independent security researchers disclosed these vulnerabilities through Adobe’s HackerOne bug bounty program. Anirudh Anand (a0xnirudh) was credited for reporting CVE-2026-48283 and CVE-2026-48313, while Matan Sandori (matans1) and 2BSecure were acknowledged for CVE-2026-48307.
Beyond applying the patches, Adobe recommends ColdFusion administrators update to the latest MySQL Java Connector and review updated serial filter documentation to strengthen defenses against insecure deserialization attacks.
Given ColdFusion’s widespread use in building and serving web applications, these vulnerabilities represent a critical attack vector for threat actors, particularly given the six perfect-score CVSS ratings that allow unauthenticated remote code execution.
Organizations running ColdFusion in internet-exposed environments should treat this as a Priority 1 patch and deploy Update 10 (ColdFusion 2025) or Update 21 (ColdFusion 2023) without delay to eliminate the risk of server compromise.
No Comment! Be the first one.