Description
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions 2025.9, 2023.20 and earlier contain a path traversal flaw that allows an unauthenticated attacker to bypass restrictions and read or write files outside the intended protected directories. The vulnerability can grant limited read and write access, exposing sensitive files, configuration data, or enabling further post‑exploitation actions. The flaw is documented as CWE‑22 and does not require user interaction, meaning it can be exploited by any request reaching the vulnerable component.

Affected Systems

Adobe ColdFusion is affected. All installations of ColdFusion 2025.9, 2023.20 and earlier are potentially vulnerable. No further version granularity is provided in the advisory.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, while the EPSS score is not available, suggesting no current data on exploitation probability. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw by sending crafted requests to the server’s file handling endpoints, inserting relative path components that traverse outside the allowed directory. Because the flaw operates without any user action, it is achievable remotely via HTTP traffic. The impact is limited to file level access, but it could serve as a foothold for a broader compromise.

Generated by OpenCVE AI on June 30, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ColdFusion to the latest patched release or apply any vendor-published hotfixes that address path traversal vulnerabilities.
  • Configure strict file path validation to reject any relative path sequences in all file handling inputs.
  • Limit filesystem permissions for the application user so that write access is only granted to the necessary directories and monitor access logs for any anomalous file operations.

Generated by OpenCVE AI on June 30, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.
Title ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-30T15:55:05.962Z

Reserved: 2026-05-21T15:28:38.137Z

Link: CVE-2026-48314

cve-icon Vulnrichment

Updated: 2026-06-30T15:55:01.331Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:30:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')