Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2023-26360
PUBLISHEDAdobe ColdFusion Improper Access Control Arbitrary code execution
- Vendor
- Adobe
- Product
- ColdFusion
- Published
- Mar 23, 2023
- EPSS
- —
Description
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Exploitation status
Exploited in the wild
Recorded 2023-03-15 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- total
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Mar 15, 2023 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
metasploit · Created Unknown
Metasploit module for CVE-2023-26360
github · Created 2024-05-14 11:22:35 UTC · 4 stars
github · Created 2023-12-26 06:26:01 UTC · 4 stars
Exploit for Arbitrary File Read for CVE-2023-26360 - Adobe Coldfusion
Timeline
-
CVE ID Reserved
-
Added to KEVIntel
-
CVE Published to Public
-
Detected by Nuclei
-
Detected by Metasploit