Cyber Resilience

CVE-2026-27306

High

Published: 14 April 2026

Published
14 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0030 21.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27306 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27306 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. Published on 2026-04-14, this flaw could result in arbitrary code execution in the context of the current user. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H).

Exploitation requires an attacker with elevated privileges (PR:H) who has adjacent network access (AV:A) and can leverage low attack complexity (AC:L). A victim must open a malicious file, enabling the attacker to achieve arbitrary code execution with high impacts on confidentiality, integrity, and availability.

Adobe's Product Security Bulletin APSB26-38, available at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html, details mitigation steps and available patches for addressing this vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in…

more

that a victim must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Improper input validation enables arbitrary code execution triggered by opening a malicious file (direct match to T1203 Exploitation for Client Execution); resulting code exec in user context facilitates command/scripting interpreter usage (T1059).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61809Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion
CVE-2025-61811Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2025-61813Same product: Adobe Coldfusion
CVE-2026-27305Same product: Adobe Coldfusion
CVE-2025-54261Same product: Adobe Coldfusion
CVE-2025-49535Same product: Adobe Coldfusion
CVE-2025-49551Same product: Adobe Coldfusion

Affected Assets

adobe
coldfusion
2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of all information inputs to prevent arbitrary code execution from the improper input validation flaw in ColdFusion.

prevent

Requires timely remediation of flaws, including applying Adobe patches for this specific ColdFusion vulnerability to eliminate the input validation weakness.

preventdetect

Malicious code protection scans and blocks potentially exploitative files that victims might open to trigger the vulnerability.

References