ColdFusion versions through 2025.4, 2023.16, 2021.22 and earlier contain an improper restriction of XML External Entity Reference vulnerability that permits attackers to read arbitrary files on the server when a crafted XML payload containing an external entity is processed. The flaw can expose sensitive configuration files, credentials, or other secrets, thereby compromising confidentiality. The vulnerability is a typical XXE flaw (CWE‑611) where the system resolves external entities, enabling file read operations beyond the intended application scope. The likely attack vector involves an attacker sending a malicious XML document to an application that parses XML input—requiring user interaction or a request from a client that submits such data.

Affected systems include Adobe ColdFusion products across multiple release families: the 2025 platform up to 2025.4, the 2023 platform up to 2023.16, and the 2021 platform up to 2021.22, as well as all preceding updates within these families. This encompasses the extensive list of CPEs enumerated under the CVE data, covering every specified update series.

The CVSS score of 8.2 signals high severity, but the EPSS score of less than 1 % indicates a low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Exploitation requires that the attacker be able to supply or influence the XML payload; thus user interaction or application‑level injection is needed. When successfully exploited, the attacker can read any file the ColdFusion service can access, giving that scope read‑only access to the underlying server file system.