Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-30
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improperly limited pathname in Adobe ColdFusion introduces a path traversal weakness (CWE‑22) that can lead to arbitrary code execution in the context of the current user. Because the flaw alters the scope, the compromise can affect the entire application and the underlying system. The vulnerability directly threatens confidentiality, integrity, and availability by enabling an attacker to read, modify, or delete arbitrary files and execute malicious code.

Affected Systems

Adobe ColdFusion versions 2025.9 and 2023.20 and all earlier releases are affected. The problem is present in every installation of these releases unless patched or upgraded.

Risk and Exploitability

The CVSS score of 10 indicates maximum severity, and with no user interaction required the exploit can be performed from any networked location that can reach the ColdFusion server. While the EPSS score is not available, the lack of mitigation in the current releases and the high CVSS suggest a high likelihood of exploitation. The flaw is not yet listed in CISA KEV, but its impact warrants urgent action. The attack vector is inferred to be a remote web request that provides a specially crafted pathname to a ColdFusion resource, which the server then resolves outside the intended directory.

Generated by OpenCVE AI on June 30, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Adobe ColdFusion release that contains the path‑traversal fix.
  • Restrict the file system directories that ColdFusion can access, applying the principle of least privilege and removing write permissions to sensitive folders.
  • Deploy web‑application or WAF rules that prohibit path‑traversal patterns such as ".." or other directory‑separator sequences before requests reach ColdFusion.

Generated by OpenCVE AI on June 30, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T16:05:11.726Z

Reserved: 2026-05-21T15:28:38.134Z

Link: CVE-2026-48282

cve-icon Vulnrichment

Updated: 2026-06-30T16:05:06.230Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')