CVE-2026-27306

High

Published: 14 April 2026

Published

14 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 28.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in…

that a victim must open a malicious file.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of all information inputs to prevent arbitrary code execution from the improper input validation flaw in ColdFusion.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws, including applying Adobe patches for this specific ColdFusion vulnerability to eliminate the input validation weakness.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection scans and blocks potentially exploitative files that victims might open to trigger the vulnerability.

Security SummaryAI

CVE-2026-27306 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. Published on 2026-04-14, this flaw could result in arbitrary code execution in the context of the current user. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H).

Exploitation requires an attacker with elevated privileges (PR:H) who has adjacent network access (AV:A) and can leverage low attack complexity (AC:L). A victim must open a malicious file, enabling the attacker to achieve arbitrary code execution with high impacts on confidentiality, integrity, and availability.

Adobe's Product Security Bulletin APSB26-38, available at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html, details mitigation steps and available patches for addressing this vulnerability.

Details

CWE(s): CWE-20

Affected Products

adobe

coldfusion

2023, 2025

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Improper input validation enables arbitrary code execution triggered by opening a malicious file (direct match to T1203 Exploitation for Client Execution); resulting code exec in user context facilitates command/scripting interpreter usage (T1059).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html
Vendor Advisory · psirt@adobe.com