प्लेटफ़ॉर्म
coldfusion
घटक
coldfusion
में ठीक किया गया
2025.6.1
CVE-2026-27308 describes an Uncontrolled Resource Consumption vulnerability in ColdFusion. This flaw allows a high-privileged attacker to exhaust system resources, potentially leading to a denial-of-service condition and reduced application performance. The vulnerability affects ColdFusion versions 2023.18, 2025.6, and earlier, but has been resolved in version 2025.6.1.
Successful exploitation of CVE-2026-27308 can result in a denial-of-service (DoS) condition for the ColdFusion application. An attacker, possessing elevated privileges, can trigger resource exhaustion, causing the application to slow down significantly or become unresponsive. This can disrupt business operations and potentially impact users' ability to access critical services. While the vulnerability doesn't require user interaction, it necessitates an attacker with sufficient permissions to manipulate the ColdFusion environment. The blast radius is limited to the affected ColdFusion application and its underlying infrastructure.
CVE-2026-27308 has been publicly disclosed on 2026-04-14. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog.
Organizations running ColdFusion versions 2023.18, 2025.6, or earlier are at risk. This includes those with legacy ColdFusion deployments, shared hosting environments where ColdFusion is installed, and those who haven't recently updated their ColdFusion instances.
• coldfusion:
Get-Process -Name ColdFusion | Select-Object CPU, WorkingSet, VirtualMemory• coldfusion:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='ColdFusion']]]" -MaxEvents 100• generic web: Check ColdFusion application logs for unusual patterns of requests or errors that might indicate resource exhaustion.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (6% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-27308 is to upgrade ColdFusion to version 2025.6.1 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as rate limiting requests to the ColdFusion application. Monitor system resource utilization (CPU, memory, disk I/O) for unusual spikes that could indicate exploitation attempts. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the resource exhaustion condition and verifying that it no longer occurs.
Adobe recomienda actualizar a la versión 2025.6.1 o posterior para mitigar esta vulnerabilidad. La actualización corrige el problema de consumo excesivo de recursos que podría llevar a una denegación de servicio. Consulte la página de Adobe Security Advisory APSB26-38 para obtener más detalles e instrucciones de actualización.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-27308 is a denial-of-service vulnerability in ColdFusion affecting versions 0.0.0–2025.6. An attacker can exhaust system resources, impacting application speed.
You are affected if you are running ColdFusion versions 2023.18, 2025.6, or earlier. Upgrade to 2025.6.1 or later to mitigate the risk.
Upgrade ColdFusion to version 2025.6.1 or later. As a temporary workaround, implement rate limiting for requests to the application.
There are currently no reports of active exploitation, and no public proof-of-concept code is available.
Refer to the Adobe Security Bulletin for CVE-2026-27308 on the Adobe website.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।