CVE-2026-47928
Published: 09 June 2026
Summary
CVE-2026-47928 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. The flaw is tracked as CVE-2026-47928, carries a CVSS 3.1 score of 9.6, and is linked to CWE-20.
An attacker on an adjacent network can exploit the issue without authentication or user interaction, resulting in changed scope and full impact on confidentiality, integrity, and availability.
Adobe has published security advisory APSB26-64 at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html to address the vulnerability.
The associated EPSS score shows a flat trajectory at 0.0887 with no material rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35830
Vulnerability details
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper input validation in ColdFusion enables unauthenticated RCE on a public-facing web application server.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the ColdFusion application, blocking the malformed data that leads to arbitrary code execution in CVE-2026-47928.
Mandates prompt application of Adobe's APSB26-64 patch to eliminate the improper-input-validation flaw before exploitation occurs.
Deploys malicious-code detection mechanisms that can identify and block the code-execution payload delivered via the input-validation bypass.