CVE-2026-48322

Adobe · ColdFusion

Adobe ColdFusion contains a code injection vulnerability that allows an authenticated user to execute arbitrary code.

Executive summary

Adobe ColdFusion is susceptible to a critical code injection vulnerability that enables authenticated attackers to execute arbitrary code within the application context.

Vulnerability

This vulnerability involves improper control of code generation (CWE-94), which allows an attacker with low-level privileges to inject and execute arbitrary code. The attack vector is network-based and does not require user interaction.

Business impact

While this vulnerability requires authentication, the potential for arbitrary code execution poses a significant threat to internal security. A compromised account could lead to lateral movement within the network or full server takeover, justifying the critical CVSS score of 9.6.

Remediation

Immediate Action: Update Adobe ColdFusion 2025 to version 11 or later, and Adobe ColdFusion 2023 to version 22 or later.

Proactive Monitoring: Review application access logs for unusual administrative activity or unauthorized code execution attempts by standard user accounts.

Compensating Controls: Enforce strict access control policies and utilize multi-factor authentication to limit the impact of compromised user credentials.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Organizations must ensure that all ColdFusion instances are updated to the latest vendor-supplied versions. Additionally, audit user access rights to ensure that only authorized personnel have the ability to interact with sensitive application functions.