Description
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.
Published: 2026-04-14
Score: 7.7 High
EPSS: 8.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe ColdFusion suffers an Improper Limitation of a Pathname vulnerability that allows attackers to traverse directory boundaries and read files or directories outside the intended restricted area. The flaw can bypass security controls, exposing sensitive system data or application files. It is classified as a classic directory traversal weakness (CWE‑22).

Affected Systems

Adobe ColdFusion versions 2023.18, 2025.6, and all earlier releases are affected by this pathname traversal defect. The vulnerability applies to all product releases prior to the update that contains the fix, as noted in Adobe’s advisory.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.7, indicating a moderate to high severity. The EPSS score of 9% shows that exploitation is plausible but not widespread. It is not listed in the CISA KEV catalog. The issue does not require user interaction, and based on the description it is inferred that an attacker could trigger the traversal by crafting an HTTP request to the application’s file handling endpoints, potentially enabling remote read of arbitrary files.

Generated by OpenCVE AI on June 24, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe ColdFusion update that contains the path traversal fix.
  • Validate and whitelist all user‑supplied file path inputs to ensure they do not escape the intended directory.
  • Restrict file system permissions so the ColdFusion process only has access to directories needed for normal operation, minimizing the impact of any remaining traversal attempts.

Generated by OpenCVE AI on June 24, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2025:update6:*:*:*:*:*:*

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.
Title ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-15T17:42:57.834Z

Reserved: 2026-03-30T17:30:36.490Z

Link: CVE-2026-34619

cve-icon Vulnrichment

Updated: 2026-04-15T17:42:53.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T22:16:31.680

Modified: 2026-06-17T10:39:19.937

Link: CVE-2026-34619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')