CVE-2026-27282 - Vulnerability Details - OpenCVE

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00213.

Key SSVC decision points have not yet been added.

Vendors	Products
Adobe Subscribe	Coldfusion Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Adobe Subscribe	Coldfusion Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html

History

Wed, 15 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe coldfusion
Vendors & Products		Adobe Adobe coldfusion

Tue, 14 Apr 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.
Title		ColdFusion \| Improper Input Validation (CWE-20)
Weaknesses		CWE-20
References		https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-04-14T21:53:57.872Z

Updated: 2026-04-15T17:42:33.468Z

Reserved: 2026-02-18T22:02:41.390Z

Link: CVE-2026-27282

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-04-14T22:16:29.257

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27282

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27282", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-02-18T22:02:41.390Z", "datePublished": "2026-04-14T21:53:57.872Z", "dateUpdated": "2026-04-15T17:42:33.468Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "ColdFusion", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2025.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation (CWE-20)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T21:53:57.872Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"}], "source": {"discovery": "EXTERNAL"}, "title": "ColdFusion | Improper Input Validation (CWE-20)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:42:26.913808Z", "id": "CVE-2026-27282", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:42:33.468Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ColdFusion", "source": "cna", "vendor": "Adobe"}, "product": "coldfusion", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T23:23:44.307652+00:00", "value": {"mitigation_remediation": ["Upgrade Adobe ColdFusion to a version released after 2025.6 that addresses the input validation flaw.", "Implement strict input validation or whitelisting for all user\u2011supplied data to prevent similar bypasses.", "Enforce least privilege and restrict access to administrative features within ColdFusion to minimize potential damage if a bypass occurs."], "summary": {"action": "Patch Now", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "Adobe describes the affected products as ColdFusion releases up to and including 2025.6, specifically 2023.18 and any earlier builds. Administrators should verify whether their deployment falls within these versions.", "description_and_impact": "ColdFusion versions 2023.18, 2025.6 and earlier suffer from an improper input validation flaw that allows an attacker to bypass built\u2011in security controls. The vulnerability is listed as CWE-20 and can lead to unauthorized execution of privileged actions or access to protected resources. Exploitation of this issue requires the attacker to deliver malicious input that circumvents the expected validation logic.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity consequence, though exploitation requires user interaction, which reduces the immediacy of risk compared to purely remote attacks. EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known active exploitation in the wild. The likely attack vector involves a crafted input sent to a publicly exposed ColdFusion application, prompting the victim to submit data that bypasses security checks."}}}}, "created": "2026-04-15T13:48:23.618826+00:00", "updated": "2026-04-15T14:31:57.027884+00:00", "vendors": ["adobe", "adobe$PRODUCT$coldfusion"]}