Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html
Scores
CVSS v3
8.4
EPSS
0.0224
EPSS Percentile
80.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (3)
adobe/coldfusion
2023 (20 CPE variants)
adobe/coldfusion
2025 (9 CPE variants)
Adobe/ColdFusion
< 2025.8
Published
Jun 09, 2026
Tracked Since
Jun 10, 2026