CVE Catalog

CVE-2026-48283

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.63%

46th percentile — higher than 46% of all known CVEs

Summary

A vulnerability in ColdFusion allows unrestricted upload of files with dangerous types, potentially leading to arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the scope is changed.

Risk Assessment

The organization is at risk of an attacker gaining control over the ColdFusion server, executing arbitrary code, which could lead to data theft, malware installation, or further attacks on the infrastructure.

Recommendation

Immediately update ColdFusion to version 2025.9 or later (for version 2025) and to version 2023.20 or later (for version 2023). Additionally, restrict user permissions and implement file upload validation mechanisms.

Original NVD description (English source)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS