Summary
CVE-2026-48276 is a critical Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in Adobe ColdFusion that enables unauthenticated remote attackers to execute arbitrary code on affected servers. The flaw affects ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier) on all platforms, and carries a maximum CVSS 3.1 score of 10.0. Adobe has assigned this vulnerability its highest priority rating (Priority 1), indicating it should be remediated within 72 hours.
Technical details
- Root cause: Insufficient validation of uploaded file types (CWE-434 — Unrestricted Upload of File with Dangerous Type), allowing attackers to upload files of a dangerous type — such as executable scripts or webshells — directly to the server without restriction.
- Trigger conditions: No authentication, no user interaction, and no special network positioning are required. Any unauthenticated attacker with network access to the ColdFusion server can trigger the vulnerability.
- Attack vector: Network-based, with low attack complexity. The vulnerability is fully exploitable over the internet against any internet-exposed ColdFusion instance.
- Impact: Successful exploitation results in arbitrary code execution in the context of the current user. The changed scope (S:C) in the CVSS vector indicates the impact can extend beyond the vulnerable ColdFusion component to other resources on the system or network.
Affected software
- Adobe ColdFusion 2025, Update 9 and earlier (all platforms)
- Adobe ColdFusion 2023, Update 20 and earlier (all platforms)
Severity
CVSS v3.1 Base Score: 10.0 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Mitigation and recommended actions
- Immediate: Upgrade to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21, which contain Adobe’s fix for this vulnerability.
- Update JDK/JRE to the latest LTS version and apply the security configuration settings documented in Adobe’s ColdFusion Lockdown guides.
- For JEE-based installations, apply the JVM serialization filter flags recommended in Adobe’s security guidance to prevent additional attack surface.
- Where immediate patching is not possible, restrict public network access to ColdFusion server ports and administrative interfaces as an interim network-level mitigation.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

