NCSC-2026-0217 [1.00] [M/H] Vulnerabilities fixed in Adobe ColdFusion
Adobe has fixed multiple vulnerabilities in Adobe ColdFusion versions 25.9, 23.20, and earlier versions. The vulnerabilities in Adobe ColdFusion include unrestricted upload of dangerous file types, improper input validation, path traversal, reflected Cross-Site Scripting (XSS), and Server-Side Request Forgery (SSRF). These vulnerabilities allow an attacker to execute arbitrary code without any user interaction, read or write files, and bypass security measures. The path traversal vulnerabilities can lead to access to and modification of files outside the intended directories. The XSS vulnerability arises from insufficient sanitization of user input in URLs, allowing malicious scripts to be injected and executed in a user's browser. The SSRF vulnerability allows an attacker to manipulate server-side requests and gain unauthorized access to resources. These issues are present in multiple versions of ColdFusion, indicating a broad impact area within the product line.
CSIRTS triage
- What
- Multiple vulnerabilities in Adobe ColdFusion allow for arbitrary code execution, file access, and security bypass.
- Who is affected
- Deployments of Adobe ColdFusion versions 25.9, 23.20, and earlier are affected.
- Urgency
- Remediation is urgent due to the high severity of the vulnerabilities and potential exploitation.
- Action
- Upgrade to the latest version of Adobe ColdFusion to mitigate these vulnerabilities.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch ColdFusion
Get an email when a new ColdFusion advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0217
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-482760.92% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 56% of all scored CVEs.
- Low exploitation riskCVE-2026-482770.85% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 54% of all scored CVEs.
- Low exploitation riskCVE-2026-482810.85% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 54% of all scored CVEs.
- Elevated exploitation riskCVE-2026-4828228.6% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 98% of all scored CVEs.
- Low exploitation riskCVE-2026-482830.63% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 46% of all scored CVEs.
- Moderate exploitation riskCVE-2026-483131.6% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 73% of all scored CVEs.
- Low exploitation riskCVE-2026-483150.55% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 42% of all scored CVEs.
- Low exploitation riskCVE-2026-483070.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
- Low exploitation riskCVE-2026-482850.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
- Low exploitation riskCVE-2026-483140.33% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 25% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-48276 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48277 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48281 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48282 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48283 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48313 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48315 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48307 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48285 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48314 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48316 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedAdobe security advisory (AV26-647) – Update 2cccs
- highexploitedCISA Adds One Known Exploited Vulnerability to Catalogcisa
- critical[UPDATE] [critical] Adobe ColdFusion: Multiple Vulnerabilitiescert-bund
- criticalexploitedCVE-2026-48282: Adobe ColdFusion Path Traversal Vulnerabilitycisa-kev
- criticalCVE-2026-48316: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation v…nvd
- unknownMultiple vulnerabilities in Adobe ColdFusion (July 1, 2026)cert-fr-avis
- criticalCVE-2026-48315: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation v…nvd
- mediumCVE-2026-48314: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pa…nvd
- criticalCVE-2026-48313: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pa…nvd
- highCVE-2026-48307: ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripti…nvd
- highCVE-2026-48285: ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery …nvd
- criticalCVE-2026-48283: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File…nvd
Recent advisories for Adobe ColdFusion
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- critical[UPDATE] [critical] Adobe ColdFusion: Multiple Vulnerabilitiescert-bund · 2026-07-07
- criticalexploitedCVE-2026-48282: Adobe ColdFusion Path Traversal Vulnerabilitycisa-kev · 2026-07-07
- unknownMultiple vulnerabilities in Adobe ColdFusion (July 1, 2026)cert-fr-avis · 2026-07-01
- criticalexploitedCVE-2017-3066: Adobe ColdFusion Deserialization Vulnerabilitycisa-kev · 2025-02-24
- criticalexploitedCVE-2024-20767: Adobe ColdFusion Improper Access Control Vulnerabilitycisa-kev · 2024-12-16
- criticalexploitedCVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Vulnerabilitycisa-kev · 2024-01-08
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03