CVE-2023-26360

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 20, 2026 5 articles Published: 2023-03-23

VulnLookup ↗ NVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

94.33%

probability

This CVE has a 94.33% probability of being exploited in the next 30 days.

0% Top 100.0th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.6

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description

VulnerabilityLookup (CNA)

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Affected Products

Adobe

ColdFusion

unspecified unspecified unspecified

Attack Intelligence

CWE-284 · Improper Access Control

Exploits & PoC

yosef0x01/CVE-2023-26360

Exploit for Arbitrary File Read for CVE-2023-26360 - Adobe Coldfusion

jakabakos/CVE-2023-26360-adobe-coldfusion-rce-exploit

PoC CVE-2023-26360 — jakabakos/CVE-2023-26360-adobe-coldfusion-rce-exploit

H3rm1tR3b0rn/CVE-2023-26360-RCE

Exploit for Remote Code Execution in ColdFusion 2021 (CVE-2023-26360)

RyanRodrigues880/CVE-2023-26360

Exploit - CVE-2023-26360

4 repos — triés par ⭐ Rechercher sur GitHub ↗

https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

http://packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html

Signal Intelligence

Confidenceⓘ

85%

EPSS 94.33%

CVSS v3.1 8.6

Mentions 5

Last Seen Mar 15, 2023

CNA Information

CNA Assigner

adobe

CNA Title

Adobe ColdFusion Improper Access Control Arbitrary code execution

Analyst Note

CVE-2023-26360 is an Adobe ColdFusion vulnerability explicitly documented as exploited in the wild by CISA, which added it to the KEV catalog on March 15, 2023, based on active exploitation evidence. Multiple authoritative sources confirm CISA's zero-day warning and active attacks against federal agency servers, with exploitation occurring concurrent with or prior to patch availability in the March 2023 Patch Tuesday cycle.

Threat Actors 1

APT 29

apt_group Information theft and espionage 🇷🇺 RU

Triage Info

Decided atMar 20, 2026

Published DateMar 23, 2023