Adobe ColdFusion: Many Takeover Flaws (CVE-2026-48276 et al.), Five Unauthenticated 10.0s — Patch Now
Adobe ColdFusion has 9 new flaws that let attackers take over a server from outside with no login. Five are rated a perfect 10.0 (CVE-2026-48276 et al.). Adobe shipped a fix (APSB26-68) — update now.
Table of contents
Adobe ColdFusion has 9 new flaws that let attackers take over a server from outside with no login. Five are rated a perfect 10.0 (CVE-2026-48276 et al.). Adobe shipped a fix (APSB26-68) — update now.
A wave of vulnerabilities has been found in Adobe ColdFusion, software widely used as the foundation that runs the web systems of companies and government agencies. Several of them let an attacker take over a server from the outside without logging in. The U.S. National Vulnerability Database (NVD) recorded 9 ColdFusion flaws dated June 30, 2026, and 5 of them are rated a perfect 10.0 out of 10 — the highest possible. All five require no login and no user interaction: an attacker can run any command on the targeted server. The representative ID is CVE-2026-48276, published as Adobe security bulletin APSB26-68.
ColdFusion has been abused in real attacks again and again, landing repeatedly on the U.S. CISA "Known Exploited Vulnerabilities (KEV) catalog." Flaws like these — "take over without logging in" — tend to be hunted worldwide and automatically right after disclosure, and how fast you respond decides whether you get hit. For any organization running Adobe ColdFusion on its own servers or in the cloud, this is a top-priority issue to act on now.
| Item | Details |
|---|---|
| Affected software | Adobe ColdFusion 2025 Update 9 (2025.9) and earlier / 2023 (2023.20) and earlier |
| Number of flaws | 9 in ColdFusion (5 rated CVSS 10.0) |
| Worst case | Unauthenticated server takeover (run any command) |
| Attack prerequisite | ColdFusion reachable from outside (some need no login, no interaction) |
| Mitigation now | Apply Adobe's latest update (APSB26-68) immediately |
* "CVSS" is an international scale that rates a flaw's severity out of 10; 10.0 is the maximum. The CVSS values here are the CVSS v3.1 base scores at the time of publication.
Who is at risk, and what is the damage?
The first to go after this are attackers who systematically scan the internet for exposed ColdFusion servers. Because ColdFusion runs websites and business systems, its entry point is often open to the outside. Attackers scan servers worldwide one after another and target any public server running ColdFusion the moment they find it. The most severe flaws here need no login, so any server they can reach becomes a target.
What the attacker does is send in a crafted file or a malicious input and run their own command on the server without passing authentication. Several ColdFusion features process incoming files or strings without checking their contents enough, so operations that should never be allowed get through. A classic method is to upload an attack program as a file and have the server execute it. Once a command gets through, more programs can be pushed in one after another.
Once arbitrary commands can run, the server is effectively taken over. Website defacement, theft of customer and personal data stored in the database, a foothold into other internal systems, and even planting ransomware — the damage spreads fast. The direct targets are the companies and agencies operating ColdFusion, but the ones who ultimately suffer are the ordinary people using those services. In the sense that a server holding your personal data gets hit, this is not only the operators' problem.
What ColdFusion is, and why it concerns so many organizations
Adobe ColdFusion is software (an application server) that serves as the foundation for building and running websites and business apps. A long-lived product first released in 1995, it is still developed by Adobe in generations like "2025" and "2023." Its strength is quickly building database-driven dynamic web pages — contact forms, member sites, internal business systems — in ColdFusion's own language, and it remains widely used in conservative fields such as government, finance, education, and manufacturing.
Some may feel they "don't hear the name much anymore." But precisely because it has been used for so long, ColdFusion persists as a behind-the-scenes system invisible from the front. And these veteran servers that "just keep running" tend to have their updates deferred, which makes them prime targets. ColdFusion has been abused in attacks many times before, and CISA has repeatedly flagged it as actively exploited. The most dangerous situation is "not even knowing whether you have ColdFusion."
The flaws — which ones are dangerous, and how
Nine flaws were published for ColdFusion this time. Sorted by severity, the ones to watch most are the 5 (all CVSS 10.0) that let an attacker take over a server outright with no login and no user interaction. Here is the full list, followed by what each type does.
| CVE ID | Type of flaw | Severity | What happens |
|---|---|---|---|
| CVE-2026-48276 | Dangerous file upload | 10.0 | Takeover, no login or interaction |
| CVE-2026-48283 | Dangerous file upload | 10.0 | Takeover, no login or interaction |
| CVE-2026-48277 | Improper input handling | 10.0 | Takeover, no login or interaction |
| CVE-2026-48281 | Improper input handling | 10.0 | Takeover, no login or interaction |
| CVE-2026-48282 | Path traversal | 10.0 | Takeover, no login or interaction |
| CVE-2026-48313 | Path traversal | 9.3 | Unauth file read + limited write |
| CVE-2026-48315 | Improper input handling | 9.3 | Lure a click, run code as the user |
| CVE-2026-48307 | Cross-site scripting | 8.8 | Lure a click, run code as the user |
| CVE-2026-48285 | Server-side request forgery (SSRF) | 8.6 | Unauth read of internal resources |
Takeover by uploading a file: CVE-2026-48276 / CVE-2026-48283
These two are a type called unrestricted file upload (CWE-434). A file that should never be uploadable (an executable file containing commands) can be sent in, and the server running it leads to takeover. No login and no special interaction are needed — the most classic and reliable takeover method — and both are rated the maximum 10.0.
Commands run via malicious input: CVE-2026-48277 / CVE-2026-48281
These two are improper input validation (CWE-20). The check on whether incoming data is safe is too weak, so the server runs commands the attacker slipped in. These are also unauthenticated and need no interaction, both rated 10.0.
Reaching places you shouldn't: CVE-2026-48282 / CVE-2026-48313
These two are path traversal (CWE-22), abusing path specifications (like "go up one level") to reach locations that should be off-limits. CVE-2026-48282 ultimately leads to command execution and is rated 10.0; CVE-2026-48313 allows reading files on the server and limited writing, rated 9.3. If config files or credentials are read, that itself becomes the key to the next break-in.
Abuse by luring a click: CVE-2026-48307 / CVE-2026-48315
These two work by getting an administrator or other user to click a malicious link the attacker prepared. CVE-2026-48307 is cross-site scripting (CWE-79) and CVE-2026-48315 stems from improper input handling; both lead to actions or code execution in the victim's browser with the victim's privileges, rated 8.8 and 9.3. Unlike the five above, they need the extra step of "getting someone to click," but the impact grows when staff who handle the admin screen are targeted. The remaining CVE-2026-48285 is a server-side request forgery (SSRF, CWE-918) that makes the server reach internal resources on the attacker's behalf, rated 8.6.
Note that on the same day, June 30, 2026, a separate Adobe product, Adobe Campaign Classic (marketing software used for email delivery and the like), also had a 10.0-severity flaw that runs commands without authentication: CVE-2026-48286 (incorrect authorization, CWE-863). It is a different product from ColdFusion, but organizations using Adobe Campaign Classic (7.4.3 build 9396 and earlier) need to update it as well.
Is my server at risk? A quick situation chart
Your risk depends heavily on whether your ColdFusion is reachable from outside and whether your version is in scope. Match your situation against the chart.
| Your situation | Risk | What to do now |
|---|---|---|
| Affected version, exposed to the internet | Highest (can be taken over unauth) | Update now. If not possible, temporarily stop exposure |
| Affected version, used only on internal network | High (insiders / pivots can abuse) | Update promptly. Restrict where connections come from |
| Unsure whether you use ColdFusion | Unknown = check (often lingers behind the scenes) | Inventory first. Confirm what's running and its version |
| Already applied the latest update | Low (these 9 are fixed) | Check for signs of intrusion; keep updating going forward |
* In scope are ColdFusion 2025 Update 9 (2025.9) and earlier, and the relevant 2023 build (2023.20) and earlier. You can check your version in the admin console's system information. If you run an older generation (such as 2021), confirm its support status as well.
What you should do now
The top priority is to apply Adobe's latest update immediately. All nine flaws are fixed in it. Check the Adobe security bulletin APSB26-68 and the update lists for ColdFusion 2025 and ColdFusion 2023, and move to the latest version for your generation. Flaws that allow unauthenticated takeover are hunted right after disclosure, so this is a "do it now," not a "at the next scheduled maintenance" matter.
If you genuinely cannot update right away, consider a stopgap of making ColdFusion unreachable directly from the internet. If it doesn't need to be public, keep it on the internal network; if it does, restrict source addresses and place a web application firewall (WAF) in front to narrow the attack surface. Reviewing the "lockdown" settings Adobe has long recommended, which disable unneeded features, also helps.
Also check whether you have already been breached. A typical move in ColdFusion attacks is dropping a suspicious externally executable file (a so-called web shell) onto the server. Look for unfamiliar files appearing in public directories and for suspicious traffic or logs. ColdFusion flaws have been used in real attacks before and have landed on the CISA Known Exploited Vulnerabilities (KEV) catalog many times. It's safest to prepare on the assumption that abuse will spread this time too.
Frequently asked questions
I don't think we use ColdFusion. Does this concern us?
Not directly. However, ColdFusion often lingers as a behind-the-scenes system, and "we didn't realize we had it" really does happen. It's reassuring to inventory the web systems and servers running in your organization and check once whether ColdFusion is in use. A service you rely on could also be running ColdFusion behind the scenes.
Which versions are dangerous?
According to the NVD entries, in scope are ColdFusion 2025 Update 9 (2025.9) and earlier, and the relevant 2023 build (2023.20) and earlier. You can check your version in the admin console's system information. Adobe security bulletin APSB26-68 announces the fixed release, so move to the latest update for your generation. If you run an older generation, also confirm whether it is still supported.
Is it already being exploited?
As of this article, we have not confirmed any public report (such as a CISA KEV listing) that these nine flaws have been used in real attacks. That said, ColdFusion has been abused many times before, and unauthenticated-takeover flaws tend to be hunted right after disclosure. It's safest to finish updating before abuse spreads. The situation can change, so check official sources regularly.
Is the Adobe Campaign Classic flaw a separate thing?
It's a flaw in a different product. On the same day, June 30, 2026, Adobe Campaign Classic (software used for email delivery and the like), separate from ColdFusion, also had a 10.0-severity flaw that runs commands without authentication (CVE-2026-48286). If you use Adobe Campaign Classic, you need to update it separately to the latest version.
Summary
Adobe ColdFusion has 9 newly published flaws, including ones that let an attacker take over a server from the outside without logging in. Five are rated the maximum 10.0 and require no user interaction at all. By merely sending a crafted file or malicious input, an attacker can run any command on the server, opening the door to website defacement, leaks of personal data, and a foothold into other systems.
The fix is clear: apply the latest update Adobe released (APSB26-68) immediately. If that's not possible right away, buy time by making ColdFusion unreachable from outside, and check whether you've already been breached. ColdFusion has been targeted again and again. "It's running, so it's fine" is exactly the trap — acting now is what prevents the damage.
Update history
- ▸July 1, 2026: First published (created following the 9 NVD entries dated June 30, 2026 and Adobe security bulletin APSB26-68).
References
- ・Adobe — Security update available for Adobe ColdFusion (APSB26-68)
- ・NVD — CVE-2026-48276 (CVSS 10.0, unrestricted file upload)
- ・NVD — CVE-2026-48277 (CVSS 10.0)
- ・NVD — CVE-2026-48281 (CVSS 10.0)
- ・NVD — CVE-2026-48282 (CVSS 10.0, path traversal)
- ・NVD — CVE-2026-48283 (CVSS 10.0, unrestricted file upload)
- ・NVD — CVE-2026-48313 (CVSS 9.3, path traversal)
- ・NVD — CVE-2026-48315 (CVSS 9.3)
- ・NVD — CVE-2026-48307 (CVSS 8.8, cross-site scripting)
- ・NVD — CVE-2026-48285 (CVSS 8.6, SSRF)
- ・NVD — CVE-2026-48286 (Adobe Campaign Classic, CVSS 10.0)
- ・Adobe — ColdFusion (2025 release) updates
- ・CISA KEV dashboard (Japanese)
Makoto Horikawa
Backend Engineer / AWS / Django