CVE-2026-27305

HIGH

ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Title source: cna

Description

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction.

References (1)

[Vendor Advisory] https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html

Scores

CVSS v3 8.6

EPSS 0.0018

EPSS Percentile 38.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

adobe/coldfusion 2023 (19 CPE variants)

adobe/coldfusion 2025 (7 CPE variants)

Adobe/ColdFusion < 2025.6

Published Apr 14, 2026

Tracked Since Apr 15, 2026