{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27282", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-02-18T22:02:41.390Z", "datePublished": "2026-04-14T21:53:57.872Z", "dateUpdated": "2026-04-15T17:42:33.468Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "ColdFusion", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2025.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation (CWE-20)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T21:53:57.872Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"}], "source": {"discovery": "EXTERNAL"}, "title": "ColdFusion | Improper Input Validation (CWE-20)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:42:26.913808Z", "id": "CVE-2026-27282", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:42:33.468Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27282", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T17:42:26.913808Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:42:30.728Z"}}], "cna": {"title": "ColdFusion | Improper Input Validation (CWE-20)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "modifiedScope": "UNCHANGED", "temporalScore": 7.5, "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "HIGH", "availabilityImpact": "NONE", "environmentalScore": 7.5, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "NONE", "environmentalSeverity": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "HIGH", "modifiedUserInteraction": "NONE", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "ColdFusion", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2025.6"}], "defaultStatus": "affected"}], "datePublic": "2026-04-14T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "Improper Input Validation (CWE-20)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T21:53:57.872Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27282", "state": "PUBLISHED", "dateUpdated": "2026-04-15T17:42:33.468Z", "dateReserved": "2026-02-18T22:02:41.390Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-04-14T21:53:57.872Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*", "matchCriteriaId": "B02A37FE-5D31-4892-A3E6-156A8FE62D28", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*", "matchCriteriaId": "0AA3D302-CFEE-4DFD-AB92-F53C87721BFF", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*", "matchCriteriaId": "645D1B5F-2DAB-4AB8-A465-AC37FF494F95", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*", "matchCriteriaId": "ED6D8996-0770-4C9F-BEA5-87EA479D40A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*", "matchCriteriaId": "4836086E-3D4A-4A07-A372-382D385CB490", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*", "matchCriteriaId": "CBC19168-4184-4B59-B9C8-E98844124EED", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*", "matchCriteriaId": "A60DCD92-9A5B-411C-9554-642C91D77FAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*", "matchCriteriaId": "58CC65EF-60A3-4DFA-AA51-E5013F116CEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*", "matchCriteriaId": "2E3EBFB1-4488-4924-A2E2-B7E422D68345", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:*", "matchCriteriaId": "A683F9B2-A0DC-4AA0-BE97-9E74FA200AB1", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:*", "matchCriteriaId": "8689F35F-9A81-45D2-B782-DBA12306BA45", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*", "matchCriteriaId": "EB88D4FE-5496-4639-BAF2-9F29F24ABF29", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*", "matchCriteriaId": "43E0ED98-2C1F-40B8-AF60-FEB1D85619C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*", "matchCriteriaId": "76204873-C6E0-4202-8A03-0773270F1802", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*", "matchCriteriaId": "C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*", "matchCriteriaId": "E3A83642-BF14-4C37-BD94-FA76AABE8ADC", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*", "matchCriteriaId": "A892E1DC-F2C8-4F53-8580-A2D1BEED5A25", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*", "matchCriteriaId": "DB97ADBA-C1A9-4EE0-9509-68CB12358AE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*", "matchCriteriaId": "E17C38F0-9B0F-4433-9CBD-6E3D63EA9BDC", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*", "matchCriteriaId": "30779417-D4E5-4A01-BE0E-1CE1D134292A", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*", "matchCriteriaId": "80D7FC6A-F264-4CB1-A18D-B091EBA47882", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*", "matchCriteriaId": "E3DA0D20-93BA-4C76-A400-159853CD7277", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*", "matchCriteriaId": "5BAB6F21-61F1-43AB-88BA-553CD9AD6C0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*", "matchCriteriaId": "C85288B9-5D63-49EA-828A-8DB3BB2367F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:*", "matchCriteriaId": "3882A011-5A01-48E7-B5E7-5A837B1CE245", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update6:*:*:*:*:*:*", "matchCriteriaId": "AACCE621-3380-4144-BA1B-AA26FE96B902", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction."}], "id": "CVE-2026-27282", "lastModified": "2026-04-16T14:43:12.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-04-14T22:16:29.257", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ColdFusion", "source": "cna", "vendor": "Adobe"}, "product": "coldfusion", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T23:23:44.307652+00:00", "value": {"mitigation_remediation": ["Upgrade Adobe ColdFusion to a version released after 2025.6 that addresses the input validation flaw.", "Implement strict input validation or whitelisting for all user\u2011supplied data to prevent similar bypasses.", "Enforce least privilege and restrict access to administrative features within ColdFusion to minimize potential damage if a bypass occurs."], "summary": {"action": "Patch Now", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "Adobe describes the affected products as ColdFusion releases up to and including 2025.6, specifically 2023.18 and any earlier builds. Administrators should verify whether their deployment falls within these versions.", "description_and_impact": "ColdFusion versions 2023.18, 2025.6 and earlier suffer from an improper input validation flaw that allows an attacker to bypass built\u2011in security controls. The vulnerability is listed as CWE-20 and can lead to unauthorized execution of privileged actions or access to protected resources. Exploitation of this issue requires the attacker to deliver malicious input that circumvents the expected validation logic.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity consequence, though exploitation requires user interaction, which reduces the immediacy of risk compared to purely remote attacks. EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known active exploitation in the wild. The likely attack vector involves a crafted input sent to a publicly exposed ColdFusion application, prompting the victim to submit data that bypasses security checks."}}}}, "created": "2026-04-15T13:48:23.618826+00:00", "updated": "2026-04-15T14:31:57.027884+00:00", "vendors": ["adobe", "adobe$PRODUCT$coldfusion"]}