ColdFusion vulnerabilities: known CVEs & security history
Adobe · Actively exploited · 215 tracked CVEs · 16 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all ColdFusion release lines — 215 in total, with 16 actively exploited in the wild. A CVE here doesn't mean your version is affected — check ColdFusion's current status and the safe version to run.
Known ColdFusion CVEs
Actively-exploited and most-severe first. Showing the top 80 of 215. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2023-38203⚡ exploited | critical | 9.8 | 97% | 2023 |
| CVE-2023-29300⚡ exploited | critical | 9.8 | 100% | 2023 |
| CVE-2023-26359⚡ exploited | critical | 9.8 | 18% | 2023 |
| CVE-2018-15961⚡ exploited | critical | 9.8 | 100% | 2018 |
| CVE-2018-4939⚡ exploited | critical | 9.8 | 63% | 2018 |
| CVE-2017-3066⚡ exploited | critical | 9.8 | 91% | 2017 |
| CVE-2013-0632⚡ exploited | critical | 9.8 | 94% | 2013 |
| CVE-2013-0625⚡ exploited | critical | 9.8 | 94% | 2013 |
| CVE-2010-2861⚡ exploited | critical | 9.8 | 100% | 2010 |
| CVE-2023-26360⚡ exploited | high | 8.6 | 97% | 2023 |
| CVE-2023-38205⚡ exploited | high | 7.5 | 100% | 2023 |
| CVE-2023-29298⚡ exploited | high | 7.5 | 100% | 2023 |
| CVE-2013-0631⚡ exploited | high | 7.5 | 66% | 2013 |
| CVE-2013-0629⚡ exploited | high | 7.5 | 66% | 2013 |
| CVE-2024-20767⚡ exploited | high | 7.4 | 99% | 2024 |
| CVE-2009-3960⚡ exploited | medium | 6.5 | 90% | 2010 |
| CVE-2025-54261 | critical | 10 | 20% | 2025 |
| CVE-2024-41874 | critical | 9.8 | 31% | 2024 |
| CVE-2023-44353 | critical | 9.8 | 80% | 2023 |
| CVE-2023-44351 | critical | 9.8 | 50% | 2023 |
| CVE-2023-44350 | critical | 9.8 | 65% | 2023 |
| CVE-2023-38204 | critical | 9.8 | 65% | 2023 |
| CVE-2022-38418 | critical | 9.8 | 80% | 2022 |
| CVE-2022-35712 | critical | 9.8 | 37% | 2022 |
| CVE-2022-35711 | critical | 9.8 | 73% | 2022 |
| CVE-2022-35710 | critical | 9.8 | 43% | 2022 |
| CVE-2022-35690 | critical | 9.8 | 72% | 2022 |
| CVE-2020-3794 | critical | 9.8 | 7% | 2020 |
| CVE-2019-8256 | critical | 9.8 | 4% | 2019 |
| CVE-2019-8074 | critical | 9.8 | 19% | 2019 |
| CVE-2019-8073 | critical | 9.8 | 8% | 2019 |
| CVE-2019-7840 | critical | 9.8 | 17% | 2019 |
| CVE-2019-7839 | critical | 9.8 | 44% | 2019 |
| CVE-2019-7838 | critical | 9.8 | 17% | 2019 |
| CVE-2019-7091 | critical | 9.8 | 26% | 2019 |
| CVE-2019-7816 | critical | 9.8 | 68% | 2019 |
| CVE-2018-15965 | critical | 9.8 | 26% | 2018 |
| CVE-2018-15959 | critical | 9.8 | 26% | 2018 |
| CVE-2018-15958 | critical | 9.8 | 26% | 2018 |
| CVE-2018-15957 | critical | 9.8 | 28% | 2018 |
| CVE-2017-11284 | critical | 9.8 | 43% | 2017 |
| CVE-2017-11283 | critical | 9.8 | 43% | 2017 |
| CVE-2016-1114 | critical | 9.8 | 9% | 2016 |
| CVE-2026-47928 | critical | 9.6 | 9% | 2026 |
| CVE-2026-27304 | critical | 9.3 | 4% | 2026 |
| CVE-2025-49535 | critical | 9.3 | 1% | 2025 |
| CVE-2025-61811 | critical | 9.1 | 1% | 2025 |
| CVE-2025-61809 | critical | 9.1 | 1% | 2025 |
| CVE-2025-61808 | critical | 9.1 | 8% | 2025 |
| CVE-2025-43564 | critical | 9.1 | 8% | 2025 |
| CVE-2025-43563 | critical | 9.1 | 8% | 2025 |
| CVE-2025-43562 | critical | 9.1 | 30% | 2025 |
| CVE-2025-43561 | critical | 9.1 | 11% | 2025 |
| CVE-2025-43560 | critical | 9.1 | 10% | 2025 |
| CVE-2025-43559 | critical | 9.1 | 1% | 2025 |
| CVE-2025-30282 | critical | 9.1 | 1% | 2025 |
| CVE-2025-30281 | critical | 9.1 | 14% | 2025 |
| CVE-2025-24447 | critical | 9.1 | 2% | 2025 |
| CVE-2025-24446 | critical | 9.1 | 1% | 2025 |
| CVE-2010-5290 | high | 10 | 6% | 2013 |
| CVE-2013-3350 | high | 10 | 8% | 2013 |
| CVE-2013-1389 | high | 10 | 6% | 2013 |
| CVE-2026-47932 | high | 8.8 | 8% | 2026 |
| CVE-2025-49551 | high | 8.8 | 0% | 2025 |
| CVE-2025-30290 | high | 8.7 | 12% | 2025 |
| CVE-2026-27305 | high | 8.6 | 29% | 2026 |
| CVE-2016-4264 | high | 8.6 | 69% | 2016 |
| CVE-2026-47931 | high | 8.4 | 1% | 2026 |
| CVE-2026-47929 | high | 8.4 | 8% | 2026 |
| CVE-2026-27306 | high | 8.4 | 0% | 2026 |
| CVE-2025-61812 | high | 8.4 | 4% | 2025 |
| CVE-2025-61810 | high | 8.4 | 8% | 2025 |
| CVE-2025-43565 | high | 8.4 | 8% | 2025 |
| CVE-2025-30286 | high | 8.4 | 2% | 2025 |
| CVE-2025-30285 | high | 8.4 | 18% | 2025 |
| CVE-2025-30284 | high | 8.4 | 2% | 2025 |
| CVE-2025-61813 | high | 8.2 | 0% | 2025 |
| CVE-2025-30289 | high | 8.2 | 5% | 2025 |
| CVE-2025-30288 | high | 8.2 | 0% | 2025 |
| CVE-2025-30287 | high | 8.2 | 3% | 2025 |
135 older / lower-severity CVEs not shown — see ColdFusion's full record.
Is my ColdFusion version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your ColdFusion version → · Monitor ColdFusion for new CVEs →
ColdFusion vulnerabilities — frequently asked
How many known vulnerabilities does ColdFusion have?
IsItPatched tracks 215 CVEs for ColdFusion, 16 of which are actively exploited (CISA KEV). 52 are critical-severity and 67 high-severity. These span every release line — what matters is whether the version you run is affected.
Does ColdFusion have any actively-exploited vulnerabilities?
Yes — 16 ColdFusion CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild (4 linked to ransomware). Patch these as a priority.
What is the most severe ColdFusion vulnerability?
Among tracked issues, CVE-2023-38203 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a Insecure deserialization weakness.
Is ColdFusion safe to use?
It depends on the version. The latest supported ColdFusion release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: ColdFusion security status · ColdFusion end-of-life · actively-exploited CVEs. Always verify against Adobe's advisories — see our disclaimer.