ColdFusion versions 2023.19, 2025.08 and earlier contain a path-traversal flaw (CWE-22) that allows a user to bypass directory restrictions and read or execute files located outside the intended sandbox. An attacker can craft a malicious attachment or file that, when opened by a victim on a system running the vulnerable ColdFusion instance, will cause the application to resolve the path to an unrestricted location. This leads to unauthorized disclosure of confidential data and potentially the execution of arbitrary code if the accessed files are executable or contain scripts. The vulnerability escalates scope and can compromise the confidentiality, integrity and availability of the affected systems.

All instances of Adobe ColdFusion up to and including version 2023.19 and 2025.08 are affected. The issue is present in any deployment of those releases that have not been patched or upgraded beyond the referenced versions.

With a CVSS score of 8.8 the flaw is considered high severity. Because the EPSS score is not available, the precise likelihood of exploitation is uncertain, but the vulnerability is listed as not being in the CISA KEV catalog. Exploitation requires user interaction; a victim must open a crafted malicious file, making the primary attack vector local or remote via file delivery (e.g., email attachment or web download). Once the file is opened, the path traversal bypass allows reading or executing files outside the restricted area, giving the attacker a means to compromise the application and the underlying host.