CVE-2023-26360

CVE Database · CVE-2023-26360

CVE-2023-26360

· HIGHAnalyzed

CVSS v3.1

8.6

EPSS

97.11%

Published

Mar 23, 2023

Modified

Oct 23, 2025

CISA Known Exploited Vulnerability

Added: 2023-03-15 · Due: 2023-04-05

Apply updates per vendor instructions.

Public PoC / Exploit (8)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCyosef0x01/CVE-2023-26360★5 GitHub PoCjakabakos/CVE-2023-26360-adobe-coldfusion-rce-exploit★5 GitHub PoCCuriousLearnerDev/ColdFusion_EXp★1 GitHub PoCH3rm1tR3b0rn/CVE-2023-26360-RCE★1 GitHub PoCRyanRodrigues880/CVE-2023-26360★0 GitHub PoCjoaoaugustom/Adobe_ColdFusion_RCE_Unauthenticated★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Weaknesses (CWE)

CWE-284

Affected Products (22)

adobe · coldfusionvulnerable

· coldfusion

References (5)

http://packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

PatchVendor Advisory

http://packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

PatchVendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-26360

KEV Catalog EPSS Scores Vendors All CVEs