CVE-2026-48307

HIGH

ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)

Title source: cna
STIX 2.1

Description

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0031
EPSS Percentile 23.3%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (3)
adobe/coldfusion 2023 (21 CPE variants)
adobe/coldfusion 2025 (10 CPE variants)
Adobe/ColdFusion < 2023.20
Published Jun 30, 2026
Tracked Since Jun 30, 2026