CVE-2023-26359 CRITICAL

CVE-2023-26359: Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution

Vendor Adobe

Product ColdFusion

Weakness CWE-502 · Unsafe deserialization

KEV Status Known Exploited

Published March 23, 2023

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

March 23, 2023 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-26359 CISA KEV Reference https://helpx.adobe.com/security/products/coldfusion/apsb23-25… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2023-26359

Related vulnerabilities

Identifiers

CVE CVE-2023-26359

CWE CWE-502

CVSS 9.8 / CRITICAL

Affected versions

Vendor Adobe

Product ColdFusion

Affected ≥ unspecified and ≤ CF2018U15, CF2021U5

Vendor Adobe

Product ColdFusion

Affected ≥ unspecified and ≤ None

CVE-2023-26359: Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE