Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
Conclusion & alert: CVE-2018-15961 is rated Critical Active Threat (100/100): CVSS Critical severity, with high exploitation likelihood (EPSS 99.95%, 100th percentile). Core evidence: CISA KEV confirms active exploitation (added 2021-11-03) affecting Adobe / ColdFusion. a weakness (CWE-434) Unauthenticated remote administrative access may be possible. EPSS rose +5.53% over the last day, indicating growing attacker interest. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Adobe ColdFusion Unrestricted File Upload Vulnerability · CISA KEV detail
: 2021-11-03
: 2022-05-03
: Apply updates per vendor instructions.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 45979 | exploit_db | edb | 2018-12-11 | Exploit-DB ↗ |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 94.42% | 99.95% | +5.53% |
| 2 | 2025-11-21 | 94.35% | 94.42% | +0.07% |
| 3 | 2025-11-18 | — | 94.35% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| 10.0 | 2.0 | HIGH |
|
10.0 | 10.0 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:-:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update1:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update10:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update11:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update12:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update13:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update14:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update2:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update3:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update4:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update5:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update6:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update7:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update8:*:*:*:*:*:* |
| adobe | coldfusion | 11.0 | cpe:2.3:a:adobe:coldfusion:11.0:update9:*:*:*:*:*:* |
| adobe | coldfusion | 2016 | cpe:2.3:a:adobe:coldfusion:2016:-:*:*:*:*:*:* |
| adobe | coldfusion | 2016 | cpe:2.3:a:adobe:coldfusion:2016:update1:*:*:*:*:*:* |
| adobe | coldfusion | 2016 | cpe:2.3:a:adobe:coldfusion:2016:update2:*:*:*:*:*:* |
| adobe | coldfusion | 2016 | cpe:2.3:a:adobe:coldfusion:2016:update3:*:*:*:*:*:* |
| adobe | coldfusion | 2016 | cpe:2.3:a:adobe:coldfusion:2016:update4:*:*:*:*:*:* |
| adobe | coldfusion | 2016 | cpe:2.3:a:adobe:coldfusion:2016:update5:*:*:*:*:*:* |
| adobe | coldfusion | 2016 | cpe:2.3:a:adobe:coldfusion:2016:update6:*:*:*:*:*:* |
| adobe | coldfusion | 2018 | cpe:2.3:a:adobe:coldfusion:2018:-:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/105314 | Broken Link Third Party Advisory VDB Entry |
| http://www.securitytracker.com/id/1041621 | Broken Link Third Party Advisory VDB Entry |
| https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html | Vendor Advisory |
| https://www.exploit-db.com/exploits/45979/ | Exploit Third Party Advisory VDB Entry |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15961 | Third Party Advisory US Government Resource |