CVE-2026-27306
Published: 14 April 2026
Summary
CVE-2026-27306 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of all information inputs to prevent arbitrary code execution from the improper input validation flaw in ColdFusion.
Requires timely remediation of flaws, including applying Adobe patches for this specific ColdFusion vulnerability to eliminate the input validation weakness.
Malicious code protection scans and blocks potentially exploitative files that victims might open to trigger the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper input validation enables arbitrary code execution triggered by opening a malicious file (direct match to T1203 Exploitation for Client Execution); resulting code exec in user context facilitates command/scripting interpreter usage (T1059).
NVD Description
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in…
more
that a victim must open a malicious file.
Deeper analysisAI
CVE-2026-27306 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. Published on 2026-04-14, this flaw could result in arbitrary code execution in the context of the current user. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H).
Exploitation requires an attacker with elevated privileges (PR:H) who has adjacent network access (AV:A) and can leverage low attack complexity (AC:L). A victim must open a malicious file, enabling the attacker to achieve arbitrary code execution with high impacts on confidentiality, integrity, and availability.
Adobe's Product Security Bulletin APSB26-38, available at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html, details mitigation steps and available patches for addressing this vulnerability.
Details
- CWE(s)