CVE-2026-47933: Adobe ColdFusion Stored XSS Vulnerability – Exploit Risk & Patch Guidance
Adobe ColdFusion versions 2023.19, 2025.8 and earlier contain a stored cross-site scripting (XSS) vulnerability that allows low-privileged attackers to inject malicious JavaScript into form fields. When other users view pages containing these compromised fields, the attacker's script executes in their browsers. This is a persistence mechanism rather than a one-time attack—the malicious code remains embedded in the application until remediated.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 29 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47933 is a stored XSS vulnerability (CWE-79) in ColdFusion's form field handling. An authenticated attacker with low-level privileges can craft malicious input that bypasses input sanitization and persists in the application's data store. The vulnerability's scope change indicates that exploitation affects not just the immediate application context but potentially users and components outside the attacker's security domain. The CVSS vector AV:A/AC:L/PR:L/UI:R/S:C reflects network adjacency, low attack complexity, low privilege requirements, mandatory user interaction in the victim's browser, and changed scope.
Business impact
Organizations running affected ColdFusion versions face reputational and operational risk. Attackers can deface application interfaces, harvest session tokens or credentials, redirect users to malicious sites, or deliver malware to end users—all while appearing to originate from the legitimate application. Customer trust erodes if users discover their browsers are being exploited through your infrastructure. Incident response becomes complex because the payload persists until patched, affecting every user who accesses the compromised page.
Affected systems
Adobe ColdFusion versions 2023.19 and 2025.8 and all earlier versions are in scope. Organizations must inventory all ColdFusion deployments and their version numbers immediately. Both classic ColdFusion server installations and cloud-hosted ColdFusion instances require assessment. Custom applications built on vulnerable ColdFusion versions that expose form input to users are at highest risk.
Exploitability
Exploitation requires low privileges (an authenticated user account) and proximity to the target network (AV:A suggests adjacent network access). The attacker must induce a victim user to view the malicious form field (UI:R). Once those conditions are met, injection is straightforward—ColdFusion's form handling does not adequately sanitize stored input. Exploit code is not in public circulation yet, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, but the attack pattern is well-established and does not require advanced technique.
Remediation
Apply Adobe's security patch for ColdFusion as soon as it becomes available. Verify the specific patched version against Adobe's official advisory. In the interim, implement input validation and output encoding at the application layer—sanitize all form field inputs on both client and server side, and use context-aware encoding (HTML entity encoding for display in HTML context). Deploy a Web Application Firewall (WAF) with XSS detection rules. Consider restricting access to ColdFusion administrative functions and form submission endpoints to trusted networks only.
Patch guidance
Monitor Adobe's security bulletins for the official patch release. Verify patch availability against Adobe ColdFusion's release notes page. Apply patches first to non-production environments, test for application compatibility, then roll out to production systems. Because this is a stored vulnerability, all data entered before patching should be treated as potentially malicious—consider a data audit or sanitization job post-patch to remove any injected payloads that may still be in the database.
Detection guidance
Search application logs and WAF logs for form submissions containing JavaScript tags, event handlers (onclick, onerror, etc.), and common XSS payloads (e.g., <script>, javascript:, onerror=). Monitor for unusual form field values that deviate from expected data types or length. Use SIEM correlation to identify sequences where a low-privileged user submits suspicious input, followed by alerts from other users' browsers. Check ColdFusion error logs for encoding-related warnings. Conduct a manual review of stored form data in your application database for signs of injected scripts.
Why prioritize this
Although the CVSS score is MEDIUM (4.8), this vulnerability warrants prompt attention because: (1) stored XSS affects all users who view the compromised page, multiplying the impact across your user base; (2) the scope change means the attacker's actions can affect other security domains; (3) exploitation requires only low privileges, expanding the attacker pool; and (4) ColdFusion is often used in enterprise environments where form-based data entry is critical. Deprioritize only if you have confirmed that your ColdFusion instances do not accept or display user-controlled form input.
Risk score, explained
The CVSS 3.1 score of 4.8 reflects a moderate threat: low attack vector (adjacent network), low complexity, low privilege barrier, and required user interaction cap the score. However, the stored nature of the payload and scope change elevate practical risk beyond the numeric score. Organizations with high user volumes, sensitive form data, or strict compliance requirements should treat this as higher priority than the MEDIUM label suggests.
Frequently asked questions
Do we need to patch immediately if ColdFusion is behind a firewall and only internal users access it?
Even in internal environments, this vulnerability is worth prioritizing. An internal attacker or compromised insider account can inject malicious scripts that execute in other employees' browsers, potentially harvesting credentials or pivoting to other systems. Firewall protection does not mitigate stored XSS; patching remains the best defense.
Can a WAF fully protect us until we patch?
A WAF can reduce risk by blocking common XSS payloads in form submissions and responses, but it cannot fully substitute for patching. WAF rules can be bypassed with encoding or obfuscation, and detection may have false negatives. Use WAF as a temporary layer while you prepare and test patches, but commit to patching on a defined timeline.
What should we do about form data that was already stored before we patch?
Post-patch, audit stored form fields for signs of injection (look for script tags, event handlers, or unusual Unicode sequences). If found, either sanitize the data programmatically or delete compromised records. Document what was found for your incident response and audit trail. This step is important for compliance and prevents the payload from being re-injected after patching.
Does this vulnerability affect ColdFusion if it's only used as a backend API with no UI?
If your ColdFusion instance only serves API responses (JSON/XML) and never renders form input as HTML to a browser, your exposure is lower. However, if any partner applications, dashboards, or internal tools consume that API and display user-controlled values without encoding, they inherit the XSS risk. Review the full data flow.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Verify all patch versions, availability dates, and technical details against Adobe's official security bulletins before implementation. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance for specific environments. Consult with your ColdFusion vendor and conduct testing in a non-production environment before deploying patches. If you discover evidence of active exploitation, contact your incident response team and relevant law enforcement immediately. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-34694MEDIUMAdobe Experience Manager Forms JEE Stored XSS Vulnerability – Patch Guide
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)