LOWCVE-2026-27308CVSS 2.4

CVE-2026-27308: DoS in ColdFusion

Platform

coldfusion

Component

coldfusion

Fixed in

2025.6.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-27308 describes an Uncontrolled Resource Consumption vulnerability in ColdFusion. This flaw allows a high-privileged attacker to exhaust system resources, potentially leading to a denial-of-service condition and reduced application performance. The vulnerability affects ColdFusion versions 2023.18, 2025.6, and earlier, but has been resolved in version 2025.6.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-27308 can result in a denial-of-service (DoS) condition for the ColdFusion application. An attacker, possessing elevated privileges, can trigger resource exhaustion, causing the application to slow down significantly or become unresponsive. This can disrupt business operations and potentially impact users' ability to access critical services. While the vulnerability doesn't require user interaction, it necessitates an attacker with sufficient permissions to manipulate the ColdFusion environment. The blast radius is limited to the affected ColdFusion application and its underlying infrastructure.

Exploitation Context

CVE-2026-27308 has been publicly disclosed on 2026-04-14. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureMedium

Reports1 threat report

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone

Automatableno

Affected Software

Componentcoldfusion

VendorAdobe

Affected rangeFixed in

0.0.0 – 2025.62025.6.1

Weakness Classification (CWE)

CWE-400

Timeline

Reserved2026-02-18
Published2026-04-14
Modified2026-04-15
EPSS updated2026-04-22

Mitigation and Workarounds

The primary mitigation for CVE-2026-27308 is to upgrade ColdFusion to version 2025.6.1 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as rate limiting requests to the ColdFusion application. Monitor system resource utilization (CPU, memory, disk I/O) for unusual spikes that could indicate exploitation attempts. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the resource exhaustion condition and verifying that it no longer occurs.

How to fix

Adobe recommends updating to version 2025.6.1 or later to mitigate this vulnerability. The update corrects the excessive resource consumption issue that could lead to a denial of service. See the Adobe Security Advisory APSB26-38 for more details and upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-27308 — DoS in ColdFusion?

CVE-2026-27308 is a denial-of-service vulnerability in ColdFusion affecting versions 0.0.0–2025.6. An attacker can exhaust system resources, impacting application speed.

Am I affected by CVE-2026-27308 in ColdFusion?

You are affected if you are running ColdFusion versions 2023.18, 2025.6, or earlier. Upgrade to 2025.6.1 or later to mitigate the risk.

How do I fix CVE-2026-27308 in ColdFusion?

Upgrade ColdFusion to version 2025.6.1 or later. As a temporary workaround, implement rate limiting for requests to the application.

Is CVE-2026-27308 being actively exploited?

There are currently no reports of active exploitation, and no public proof-of-concept code is available.

Where can I find the official ColdFusion advisory for CVE-2026-27308?

Refer to the Adobe Security Bulletin for CVE-2026-27308 on the Adobe website.