Cyber Resilience

CVE-2026-47928

CriticalUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0887 94.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-47928 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. The flaw is tracked as CVE-2026-47928, carries a CVSS 3.1 score of 9.6, and is linked to CWE-20.

An attacker on an adjacent network can exploit the issue without authentication or user interaction, resulting in changed scope and full impact on confidentiality, integrity, and availability.

Adobe has published security advisory APSB26-64 at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html to address the vulnerability.

The associated EPSS score shows a flat trajectory at 0.0887 with no material rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper input validation in ColdFusion enables unauthenticated RCE on a public-facing web application server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

adobe
coldfusion
2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the ColdFusion application, blocking the malformed data that leads to arbitrary code execution in CVE-2026-47928.

prevent

Mandates prompt application of Adobe's APSB26-64 patch to eliminate the improper-input-validation flaw before exploitation occurs.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the code-execution payload delivered via the input-validation bypass.

References