Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Published: 2026-06-09
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2023.19, 2025.8 and all earlier releases contain an improper restriction of XML External Entity references, allowing an attacker to read arbitrary files on the server filesystem. The vulnerability enables disclosure of sensitive files and directories beyond the intended application scope, potentially compromising confidentiality. The attack requires user interaction, specifically that a victim opens a crafted malicious file. No elevation of privileges or denial of service conditions are described by the vendor. The flaw is catalogued as CWE-611.

Affected Systems

Adobe ColdFusion servers running any of the affected releases – 2023.19 and 2025.8 as well as any legacy versions released before or equal to these. The issue has been disclosed by Adobe in their ColdFusion security advisory, and the referenced advisory lists the vulnerable releases. No additional vendor product line or platform data is provided.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity, and while no EPSS score is available, the requirement for user interaction lowers the probability of mass exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no currently known widespread exploits. Attackers can exploit it by distributing a malicious XML file that references external entities, which a susceptible ColdFusion deployment will resolve and thereby leak sensitive filesystem data. Defensive measures must therefore focus on applying vendor fixes and tightening XML external entity handling.

Generated by OpenCVE AI on June 9, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe ColdFusion security patch for the affected versions.
  • Configure ColdFusion to disable or restrict XML External Entity processing, such as setting "disable ExternalEntityReference" to true if available.
  • Limit file system access permissions for the ColdFusion application account and enforce least privilege principles.

Generated by OpenCVE AI on June 9, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Title ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:33:37.237Z

Reserved: 2026-05-20T15:50:31.364Z

Link: CVE-2026-47960

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:24.387

Modified: 2026-06-09T21:17:24.387

Link: CVE-2026-47960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses