CVE-2026-48322
Adobe · ColdFusion
Adobe ColdFusion contains a code injection vulnerability that allows an authenticated user to execute arbitrary code.
Executive summary
Adobe ColdFusion is susceptible to a critical code injection vulnerability that enables authenticated attackers to execute arbitrary code within the application context.
Vulnerability
This vulnerability involves improper control of code generation (CWE-94), which allows an attacker with low-level privileges to inject and execute arbitrary code. The attack vector is network-based and does not require user interaction.
Business impact
While this vulnerability requires authentication, the potential for arbitrary code execution poses a significant threat to internal security. A compromised account could lead to lateral movement within the network or full server takeover, justifying the critical CVSS score of 9.6.
Remediation
Immediate Action: Update Adobe ColdFusion 2025 to version 11 or later, and Adobe ColdFusion 2023 to version 22 or later.
Proactive Monitoring: Review application access logs for unusual administrative activity or unauthorized code execution attempts by standard user accounts.
Compensating Controls: Enforce strict access control policies and utilize multi-factor authentication to limit the impact of compromised user credentials.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations must ensure that all ColdFusion instances are updated to the latest vendor-supplied versions. Additionally, audit user access rights to ensure that only authorized personnel have the ability to interact with sensitive application functions.