Plattform
coldfusion
Komponente
coldfusion
Behoben in
2025.6.1
CVE-2026-27305 describes a Path Traversal vulnerability discovered in ColdFusion. This flaw allows an attacker to potentially read arbitrary files from the server's file system, bypassing intended access controls. The vulnerability affects ColdFusion versions from 0.0.0 up to and including 2025.6. A fix is available in version 2025.6.
The core impact of CVE-2026-27305 lies in its ability to bypass access controls and read arbitrary files. An attacker exploiting this vulnerability could gain access to configuration files, source code, database credentials, or other sensitive information stored on the server. This could lead to complete system compromise, data breaches, and further malicious activity. The lack of user interaction required for exploitation significantly increases the risk, as an attacker can trigger the vulnerability remotely without any user action. This is similar to other path traversal vulnerabilities where attackers leverage predictable file paths to access restricted resources.
CVE-2026-27305 was publicly disclosed on April 14, 2026. Its severity is rated HIGH with a CVSS score of 8.6. Currently, there are no known active campaigns exploiting this vulnerability, but the lack of user interaction makes it a potentially attractive target. No public proof-of-concept exploits have been published as of the disclosure date.
Organizations running ColdFusion applications, particularly those with sensitive data stored on the server, are at risk. This includes businesses relying on ColdFusion for web applications, e-commerce platforms, and internal systems. Legacy ColdFusion deployments and those with weak file system permissions are especially vulnerable.
• coldfusion:
Get-ChildItem -Path "C:\ColdFusion\wwwroot\" -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.FullName -match '\.\.\'}• generic web:
curl -I http://your-coldfusion-server/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.18% (39% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27305 is to upgrade ColdFusion to version 2025.6 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. These may include restricting access to the ColdFusion directory through a web application firewall (WAF) or proxy server, configuring strict file access controls within ColdFusion, and carefully reviewing any custom code that handles file paths. Monitor ColdFusion logs for suspicious file access attempts. After upgrading, verify the fix by attempting to access files outside the intended directory via a web request; access should be denied.
Adobe recomienda actualizar a una versión corregida de ColdFusion, como 2025.6 o posterior, para mitigar la vulnerabilidad de recorrido de ruta. Consulte la página de Adobe Security Advisory (APS) para obtener instrucciones detalladas sobre cómo aplicar la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27305 is a Path Traversal vulnerability in ColdFusion affecting versions 0.0.0–2025.6, allowing attackers to read arbitrary files.
If you are running ColdFusion versions 0.0.0 through 2025.6, you are potentially affected and should upgrade immediately.
Upgrade to ColdFusion version 2025.6 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the Adobe Security Bulletin for CVE-2026-27305 on the Adobe website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.