Adobe has released an urgent security update for ColdFusion 2025 and 2023 to fix multiple critical vulnerabilities that could allow arbitrary code execution, privilege escalation, arbitrary file read, and security feature bypass.
The issues are rated Priority 1, meaning administrators should patch as soon as possible in environments with active exploitation risk.
The update affects ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier, across all supported platforms.
Adobe has shipped ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 as the fixed versions and strongly recommends all customers upgrade to these releases immediately.
Multiple Adobe ColdFusion Vulnerabilities
Several of the newly disclosed vulnerabilities are rated CVSS 10.0 and enable remote, unauthenticated arbitrary code execution over the network.
These include unrestricted file upload, path traversal, and improper input validation flaws that could allow attackers to upload and execute malicious payloads or abuse crafted requests to gain full control of the affected ColdFusion server.
Critical RCE‑class CVEs Include:
CVE-2026-48276, CVE-2026-48283: Unrestricted upload of files with dangerous types (CWE-434) leading to arbitrary code execution (CVSS 10.0).
CVE-2026-48277, CVE-2026-48281, CVE-2026-48316: Improper input validation (CWE-20) enabling arbitrary code execution (CVSS 10.0).
CVE-2026-48282: Path traversal (CWE-22) leading to arbitrary code execution (CVSS 10.0).
Beyond full RCE, the update also addresses critical weaknesses that can be chained for deeper compromise.
CVE-2026-48313, a critical path traversal bug, allows arbitrary file system reads and carries a CVSS score of 9.3, increasing the risk of configuration and credential exposure.
Privilege escalation is possible via CVE-2026-48315 (improper input validation, CVSS 9.3) and CVE-2026-48314 (path traversal, CVSS 6.5).
The release also fixes a reflected XSS issue (CVE-2026-48307, CVSS 8.8) and a critical SSRF vulnerability (CVE-2026-48285, CVSS 8.6) that could be used to bypass security controls and pivot to internal resources.
Adobe states it is not currently aware of exploits in the wild for any of the vulnerabilities addressed in this update.
However, the combination of unauthenticated network access, maximum CVSS scores, and historically high attacker interest in ColdFusion make rapid patch deployment essential for internet-facing instances.
Administrators are also urged to upgrade to the latest supported JDK/JRE, use the latest MySQL Java connector, configure the serial filter to mitigate insecure deserialization, and apply the official ColdFusion security configuration and Lockdown Guide recommendations.
Adobe credits external researchers, including Anirudh Anand (a0xnirudh), Matan Sandori (matans1), and 2Bsecure, for responsibly reporting several bugs through the company’s HackerOne bug bounty program.