CVE Catalog

CVE-2026-48276

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.92%

56th percentile — higher than 56% of all known CVEs

Summary

A vulnerability in ColdFusion allows unrestricted upload of files with dangerous types, potentially leading to arbitrary code execution in the context of the current user. Exploitation requires no user interaction and the scope is changed.

Risk Assessment

The organization is at risk of an attacker taking control of the ColdFusion server, executing arbitrary code, which could lead to data theft, malware installation, or further attacks on the infrastructure.

Recommendation

Immediately update ColdFusion to version 2025.9.1 or later (for 2025 series) and 2023.21 or later (for 2023 series). In the meantime, restrict access to the admin panel and implement file upload filtering mechanisms.

Original NVD description (English source)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS