ColdFusion versions 2023.19, 2025.8 and earlier contain an improper input validation flaw that allows a low‑privileged attacker to bypass internal security controls. The vulnerability is directly tied to uncontrolled data received by the application, resulting in a violation of the intended security boundary and permitting the attacker to read and write data that should have been protected. The impact is limited to confidentiality and integrity compromise, with no direct denial‑of‑service effect reported.

Adobe ColdFusion instances running any release from 2023.19 up to and including 2025.8, as well as all earlier versions, are susceptible. This includes the core product as well as all update releases enumerated in the CPE listing, covering 2023 update 1 through 2023 update 19 and 2025 update 1 through 2025 update 8.

The CVSS score of 8.1 indicates high severity, while the EPSS score of < 1% suggests a low likelihood of exploitation at this time. The malicious actor does not need any user interaction; based on the description, it is inferred that the attack vector is remote, with the attacker supplying crafted input to the vulnerable component. The feature bypass can lead to unauthorized data access, making this a significant threat even with the low EPSS. The vulnerability is not listed in the CISA KEV catalog, but organizations should treat it with the same caution as any high‑CVSS, remote‑exploitable flaw.