LOWCVE-2026-27307CVSS 2.4

CVE-2026-27307: DoS in ColdFusion

Platform

coldfusion

Component

coldfusion

Fixed in

2025.6.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-27307 describes an Uncontrolled Resource Consumption vulnerability in ColdFusion. This flaw allows a high-privileged attacker to exhaust system resources, leading to a denial-of-service condition and reduced application performance. The vulnerability impacts ColdFusion versions from 0.0.0 up to and including 2025.6. A patch is available in version 2025.6.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-27307 allows an attacker to initiate a denial-of-service (DoS) condition within a ColdFusion application. The attacker can trigger excessive resource consumption, such as CPU or memory, effectively slowing down or crashing the application. This can disrupt service availability for legitimate users and potentially impact other services running on the same server. While the vulnerability does not require user interaction, it necessitates an attacker with elevated privileges within the ColdFusion environment to execute the attack.

Exploitation Context

CVE-2026-27307 was publicly disclosed on 2026-04-14. The vulnerability has a LOW CVSS score, indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, and there are no reports of active exploitation campaigns. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureMedium

Reports1 threat report

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone

Automatableno

Affected Software

Componentcoldfusion

VendorAdobe

Affected rangeFixed in

0.0.0 – 2025.62025.6.1

Weakness Classification (CWE)

CWE-400

Timeline

Reserved2026-02-18
Published2026-04-14
Modified2026-04-15
EPSS updated2026-04-22

Mitigation and Workarounds

The primary mitigation for CVE-2026-27307 is to upgrade to ColdFusion version 2025.6.1 or later, which includes the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing rate limiting on resource-intensive operations within the ColdFusion application to prevent excessive consumption. Monitoring system resource utilization (CPU, memory) is also recommended to detect potential attacks. After upgrading, confirm the fix by attempting to reproduce the resource exhaustion condition and verifying that it no longer occurs.

How to fix

Adobe recomienda aplicar la actualización a ColdFusion versión 2025.6.1 o posterior para mitigar la vulnerabilidad de consumo excesivo de recursos. Consulte la página de Adobe Security Advisory APSB26-38 para obtener más detalles e instrucciones de instalación.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-27307 — DoS in ColdFusion?

CVE-2026-27307 is a denial-of-service vulnerability in ColdFusion affecting versions 0.0.0–2025.6. An attacker can exhaust system resources, leading to application slowdown or crashes.

Am I affected by CVE-2026-27307 in ColdFusion?

You are affected if you are running ColdFusion versions 0.0.0 through 2025.6. Upgrade to 2025.6.1 or later to mitigate the risk.

How do I fix CVE-2026-27307 in ColdFusion?

Upgrade to ColdFusion version 2025.6.1 or a later version. Consider rate limiting and monitoring system resources as interim measures.

Is CVE-2026-27307 being actively exploited?

There are currently no reports of active exploitation campaigns for CVE-2026-27307, but vigilance is still advised.

Where can I find the official ColdFusion advisory for CVE-2026-27307?

Refer to the Adobe Security Bulletin for CVE-2026-27307 on the Adobe Security Advisories website.