CVE-2026-48283
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk46th percentile — higher than 46% of all known CVEs
Summary
A vulnerability in ColdFusion allows unrestricted upload of files with dangerous types, potentially leading to arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the scope is changed.
Risk Assessment
The organization is at risk of an attacker gaining control over the ColdFusion server, executing arbitrary code, which could lead to data theft, malware installation, or further attacks on the infrastructure.
Recommendation
Immediately update ColdFusion to version 2025.9 or later (for version 2025) and to version 2023.20 or later (for version 2023). Additionally, restrict user permissions and implement file upload validation mechanisms.
Original NVD description (English source)
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

