Adobe ColdFusion Flaws Enable Unauthenticated Code Execution and File Read
Adobe disclosed two high-severity vulnerabilities in ColdFusion that affect versions 2023.18, 2025.6, and earlier. The first, CVE-2026-27304, is an improper input validation flaw (CWE-20) that can lead to arbitrary code execution in the context of the current user without requiring user interaction. Adobe assigned the issue a CVSS v3.1 vector of AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N and published details in security bulletin APSB26-38.
Adobe also disclosed CVE-2026-27305, a path traversal vulnerability (CWE-22) in the same ColdFusion versions that allows an unauthenticated remote attacker to perform arbitrary file system reads and access sensitive files outside intended directories. The flaw likewise requires no user interaction and carries a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, making the pair of issues a significant risk for exposed ColdFusion deployments.
Timeline
Apr 14, 2026
Adobe discloses ColdFusion CVE-2026-27306
Adobe disclosed CVE-2026-27306, an improper input validation flaw in ColdFusion 2023.18, 2025.6, and earlier that could lead to arbitrary code execution in the current user's context. Adobe said exploitation requires elevated privileges and user interaction, including opening a malicious file, and referenced the issue in advisory APSB26-38.
Apr 14, 2026
Adobe discloses ColdFusion CVE-2026-27304 and CVE-2026-27305
Adobe disclosed two high-severity ColdFusion vulnerabilities, CVE-2026-27304 and CVE-2026-27305, affecting ColdFusion 2023.18, 2025.6, and earlier versions. The flaws can enable arbitrary code execution and arbitrary file read respectively without user interaction, and were referenced in Adobe advisory APSB26-38.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Multiple Critical Vulnerabilities Disclosed in Adobe ColdFusion
Adobe has released security updates addressing several critical and high-severity vulnerabilities in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. The vulnerabilities include improper input validation, improper access control, unrestricted upload of files with dangerous types, deserialization of untrusted data, and improper restriction of XML external entity references. These flaws could allow attackers to bypass security features, gain unauthorized read and write access, execute arbitrary code, escalate privileges, and read sensitive files from the server. Most of these vulnerabilities can be exploited remotely and do not require user interaction, with some specifically requiring high-privileged access. Adobe's security bulletin (APSB25-105) confirms that there are currently no known exploits in the wild for these issues. The company strongly recommends users update to the latest versions—ColdFusion 2025 Update 5, 2023 Update 17, and 2021 Update 23—to mitigate the risks. Additional guidance includes using the latest MySQL Java connector and reviewing updated serial filter documentation to protect against insecure deserialization attacks. Organizations using affected ColdFusion versions should prioritize patching to prevent potential exploitation of these vulnerabilities.
1 months ago
Multiple Critical Vulnerabilities in Adobe Products Allowing Arbitrary Code Execution
Adobe released security advisories addressing multiple vulnerabilities across a range of its products, including ColdFusion, Adobe Experience Manager (AEM), DNG Software Development Kit (SDK), Acrobat, Acrobat Reader, and the Creative Cloud Desktop Application. The most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user, potentially enabling attackers to install programs, modify or delete data, or create new accounts with full user rights. Affected versions span ColdFusion 2025, 2023, and 2021, AEM Cloud Service and 6.5 LTS, DNG SDK 1.7.0 and prior, Acrobat and Acrobat Reader 2020 and 2024 for both Windows and Mac, and Creative Cloud Desktop Application 6.4.0.361 and earlier. Users and administrators are strongly encouraged to review the official advisories and apply the necessary updates to mitigate risk. Threat intelligence at the time of disclosure indicated no reports of these vulnerabilities being exploited in the wild. The advisories emphasize that users with administrative privileges are at greater risk if exploited, and recommend prompt patching to reduce exposure. Organizations relying on Adobe products for document management, web application development, or digital asset workflows should prioritize these updates to prevent potential compromise through remote code execution vulnerabilities.
1 months ago
Adobe Connect Flaws Expose Users to XSS and Potential Code Execution
Adobe disclosed two high-severity vulnerabilities in **Adobe Connect** affecting versions **2025.3, 12.10, and earlier**, and directed customers to advisory **`APSB26-37`** for remediation. One issue, **`CVE-2026-27246`**, is a DOM-based cross-site scripting flaw classified as **`CWE-79`** that can let an attacker manipulate the browser DOM and run malicious JavaScript in a victim’s session after luring the user to a crafted webpage. The vulnerability carries a CVSS v3.1 vector of **`AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`**, indicating network reachability, low attack complexity, no privileges required, and high confidentiality and integrity impact. Adobe also disclosed **`CVE-2026-34615`**, a **`CWE-502`** deserialization of untrusted data vulnerability in the same product versions that can lead to arbitrary code execution in the context of the current user. Adobe said exploitation of the deserialization flaw does not require user interaction, making it the more serious of the two issues, while both bugs were published through Adobe’s PSIRT process and affect the same supported and earlier Adobe Connect releases. Organizations using Adobe Connect should prioritize patching exposed deployments and reviewing the vendor advisory for fixed versions and mitigation guidance.
2 weeks ago