{"uuid": "1c412c4c-3961-4c01-801f-63c8280b44cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48276", "type": "seen", "source": "https://gist.github.com/alon710/5cc09119469b7bc7e37fcd9f59fdfdb0", "content": "# CVE-2026-48276: CVE-2026-48276: Unrestricted File Upload in Adobe ColdFusion\n\n&gt; **CVSS Score:** 10.0\n&gt; **Published:** 2026-06-30\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48276\n\n## Summary\nAdobe ColdFusion versions 2025.9 and 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434). An unauthenticated remote attacker can exploit this flaw to upload malicious ColdFusion Markup Language (CFML) files directly into web-accessible directories. Accessing the uploaded script triggers arbitrary code execution in the security context of the running service account.\n\n## TL;DR\nA critical-severity unrestricted file upload vulnerability in Adobe ColdFusion allows unauthenticated remote attackers to execute arbitrary system commands via crafted web scripts.\n\n## Technical Details\n\n- **CWE ID**: CWE-434\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: No public exploits currently documented\n- **KEV Status**: Not listed in CISA KEV catalog\n- **Impact**: Unauthenticated Remote Code Execution\n\n## Affected Systems\n\n- Adobe ColdFusion 2023\n- Adobe ColdFusion 2025\n\n## Mitigation\n\n- Deploy official security hotfixes from Adobe immediately.\n- Implement strict web-server level execute permission restrictions on all upload directories.\n- Configure the ColdFusion application runtime to execute under a dedicated low-privilege service account.\n\n**Remediation Steps:**\n1. Audit all corporate networks to locate active ColdFusion 2023 and 2025 deployments.\n2. For ColdFusion 2025 instances, apply Update 10 or later.\n3. For ColdFusion 2023 instances, apply Update 21 or later.\n4. Confirm patch application by reviewing the active updates tab in the ColdFusion Administrator console.\n5. Configure web server execution maps to prevent execution of server-side files within writable storage directories.\n\n## References\n\n- [Official Adobe Security Advisory (APSB26-68)](https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html)\n- [CVE-2026-48276 Record on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-48276)\n- [Wiz Vulnerability Database Details](https://www.wiz.io/vulnerability-database/cve/cve-2026-48276)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48276) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T11:51:38.029504Z"}