Adobe disclosed two high-severity vulnerabilities in ColdFusion that affect versions 2023.18, 2025.6, and earlier. The first, CVE-2026-27304, is an improper input validation flaw (CWE-20) that can lead to arbitrary code execution in the context of the current user without requiring user interaction. Adobe assigned the issue a CVSS v3.1 vector of AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N and published details in security bulletin APSB26-38.
Adobe also disclosed CVE-2026-27305, a path traversal vulnerability (CWE-22) in the same ColdFusion versions that allows an unauthenticated remote attacker to perform arbitrary file system reads and access sensitive files outside intended directories. The flaw likewise requires no user interaction and carries a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, making the pair of issues a significant risk for exposed ColdFusion deployments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Adobe disclosed CVE-2026-27306, an improper input validation flaw in ColdFusion 2023.18, 2025.6, and earlier that could lead to arbitrary code execution in the current user's context. Adobe said exploitation requires elevated privileges and user interaction, including opening a malicious file, and referenced the issue in advisory APSB26-38.
Adobe disclosed two high-severity ColdFusion vulnerabilities, CVE-2026-27304 and CVE-2026-27305, affecting ColdFusion 2023.18, 2025.6, and earlier versions. The flaws can enable arbitrary code execution and arbitrary file read respectively without user interaction, and were referenced in Adobe advisory APSB26-38.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
helpx.adobe.com
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.