ColdFusion versions 2023.19, 2025.8 and earlier contain a path‑traversal flaw that allows an attacker to bypass directory restrictions and read or execute files located outside the intended sandbox. The vulnerability requires user interaction; a victim must open a malicious file that triggers the traversal. Once the file is opened, the application resolves the path to an unrestricted location, providing access to confidential data or potentially executable content. The changed scope indicates that the vulnerability can affect both the application and the underlying host without directly impacting availability.

All deployments of Adobe ColdFusion up to and including version 2023.19 and 2025.08 are affected, including all update releases listed in the CPE data. This encompasses the 2023 releases from update1 through update19 and the 2025 releases from update1 through update8.

The flaw carries a CVSS score of 8.8, indicating high severity. The EPSS score of 8% indicates a low but nonzero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to open a crafted malicious file, so the primary attack vector is indirect and typically involves file delivery such as an email attachment or a web download. The CVE description does not mention availability impact; the risk is focused on confidentiality and integrity because of unauthorized file access and potential code execution.