Plattform
coldfusion
Komponente
coldfusion
Behoben in
2025.6.1
CVE-2026-34619 describes a Path Traversal vulnerability discovered in ColdFusion. This flaw allows attackers to bypass intended security restrictions and potentially access sensitive files and directories on the server. The vulnerability impacts ColdFusion versions from 0.0.0 up to and including 2025.6. A fix is available in version 2025.6.
The primary impact of CVE-2026-34619 is the potential for unauthorized access to files and directories on the ColdFusion server. An attacker exploiting this vulnerability could read configuration files, source code, or other sensitive data that is not intended to be publicly accessible. This could lead to information disclosure, privilege escalation, or even remote code execution if the attacker can leverage the accessed files to compromise the system further. The lack of user interaction required for exploitation significantly increases the risk, as an attacker can trigger the vulnerability remotely without needing to trick a user into performing any action.
CVE-2026-34619 was publicly disclosed on April 14, 2026. The vulnerability's ease of exploitation and the potential for significant data exposure suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the nature of path traversal vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations running ColdFusion applications, particularly those with sensitive data stored on the server, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as a compromise of one user's ColdFusion application could potentially expose data from other users.
• coldfusion: Examine ColdFusion request logs for suspicious patterns like '../' or '\\'.
• generic web: Use curl to test for path traversal by attempting to access files outside the expected directory structure. For example: curl 'http://coldfusion-server/..\.\.\.\.\/etc/passwd'
• generic web: Check access and error logs for unusual file access attempts or errors related to unauthorized file access.
• generic web: Review response headers for unexpected content or file types.
disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-34619 is to immediately upgrade to ColdFusion version 2025.6 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the ColdFusion directory through web application firewalls (WAFs) or proxy servers. Configure WAF rules to block requests containing suspicious path traversal patterns (e.g., '../'). Regularly review and harden ColdFusion configuration settings to minimize the attack surface. After upgrading, verify the fix by attempting to access files outside the intended directory through a web browser or other HTTP client; access should be denied.
Adobe recomienda actualizar a una versión corregida de ColdFusion, como 2025.6 o posterior, para mitigar la vulnerabilidad de recorrido de ruta. Consulte la página de Adobe Security Advisory para obtener instrucciones detalladas sobre cómo aplicar la actualización y obtener más información sobre la vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34619 is a Path Traversal vulnerability affecting ColdFusion versions 0.0.0–2025.6, allowing attackers to access unauthorized files.
If you are running ColdFusion versions 0.0.0 through 2025.6, you are potentially affected by this vulnerability.
Upgrade to ColdFusion version 2025.6 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, so vigilance is advised.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/CVE-2026-34619.html](https://www.adobe.com/security/advisories/CVE-2026-34619.html)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.