CVE-2026-48325 PUBLISHED

ColdFusion | Missing Authentication for Critical Function (CWE-306)

Assigner: adobe
Reserved: 21.05.2026 Published: 14.07.2026 Updated: 15.07.2026

ColdFusion is affected by a Missing Authentication for Critical Function vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Metrics

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 9.3

Product Status

Vendor Adobe
Product ColdFusion 2025
Versions Default: affected
  • affected from 0 to 10 (incl.)
  • Version 11 is unaffected
Vendor Adobe
Product ColdFusion 2023
Versions Default: affected
  • affected from 0 to 21 (incl.)
  • Version 22 is unaffected

References

Problem Types

  • Missing Authentication for Critical Function (CWE-306) CWE