Improper Input Validation in Adobe ColdFusion Pre-2025.6 Allows Code Exec
CVE-2026-27304 Published on April 14, 2026

ColdFusion | Improper Input Validation (CWE-20)
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Products Associated with CVE-2026-27304

Want to know whenever a new CVE is published for Adobe ColdFusion? stack.watch will email you.

Adobe ColdFusion

Affected Versions

Adobe ColdFusion:

Before and including 2025.6 is affected.

Improper Input Validation in Adobe ColdFusion Pre-2025.6 Allows Code ExecCVE-2026-27304 Published on April 14, 2026

Vulnerability Analysis

Weakness Type

Improper Input Validation

Products Associated with CVE-2026-27304

Affected Versions

Improper Input Validation in Adobe ColdFusion Pre-2025.6 Allows Code Exec
CVE-2026-27304 Published on April 14, 2026