CVE-2026-47960 Adobe CVE debrief

Who should care

Users of ColdFusion versions 2023.19, 2025.8 and earlier should apply the necessary patches to prevent exploitation of this vulnerability.

Technical summary

The vulnerability is caused by an Improper Restriction of XML External Entity Reference ('XXE') in ColdFusion versions 2023.19, 2025.8 and earlier. This allows an attacker to access sensitive files and directories outside the intended access scope by exploiting the vulnerability. The exploitation requires user interaction, as a victim must open a malicious file.

Defensive priority

HIGH

Recommended defensive actions

• Apply the necessary patches for ColdFusion versions 2023.19, 2025.8 and earlier.
• Restrict access to sensitive files and directories.
• Educate users on the risks of opening malicious files.

Evidence notes

The CVE record for CVE-2026-47960 was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-47960). The NVD detail for CVE-2026-47960 can be found at [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-47960). Additional information can be found in the source reference at [ref-4](https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html).

Official resources