⚠ Actively exploited
Added to CISA KEV on 2023-08-21. Federal agencies required to patch by 2023-09-11. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2023-26359 — Deserialization of Untrusted Data in Adobe Coldfusion
Severity
9.8CRITICALNVD
EPSS
85.7%
top 0.62%
CISA KEV
KEV
Added 2023-08-21
Due 2023-09-11
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 23
KEV addedAug 21
KEV dueSep 11
Latest updateDec 6
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-p4mq-mqpj-7xcj: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerabili↗2023-03-23