CVE-2026-48276
CriticalCVSS 10.0Exploitation Probability (EPSS)
Elevated risk56th percentile — higher than 56% of all known CVEs
Summary
A vulnerability in ColdFusion allows unrestricted upload of files with dangerous types, potentially leading to arbitrary code execution in the context of the current user. Exploitation requires no user interaction and the scope is changed.
Risk Assessment
The organization is at risk of an attacker taking control of the ColdFusion server, executing arbitrary code, which could lead to data theft, malware installation, or further attacks on the infrastructure.
Recommendation
Immediately update ColdFusion to version 2025.9.1 or later (for 2025 series) and 2023.21 or later (for 2023 series). In the meantime, restrict access to the admin panel and implement file upload filtering mechanisms.
Original NVD description (English source)
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

