Platform
coldfusion
Component
coldfusion
Fixed in
2025.6.1
CVE-2026-34619 describes a Path Traversal vulnerability discovered in ColdFusion. This flaw allows attackers to bypass intended security restrictions and potentially access sensitive files and directories on the server. The vulnerability impacts ColdFusion versions from 0.0.0 up to and including 2025.6. A fix is available in version 2025.6.
The primary impact of CVE-2026-34619 is the potential for unauthorized access to files and directories on the ColdFusion server. An attacker exploiting this vulnerability could read configuration files, source code, or other sensitive data that is not intended to be publicly accessible. This could lead to information disclosure, privilege escalation, or even remote code execution if the attacker can leverage the accessed files to compromise the system further. The lack of user interaction required for exploitation significantly increases the risk, as an attacker can trigger the vulnerability remotely without needing to trick a user into performing any action.
CVE-2026-34619 was publicly disclosed on April 14, 2026. The vulnerability's ease of exploitation and the potential for significant data exposure suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the nature of path traversal vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-34619 is to immediately upgrade to ColdFusion version 2025.6 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the ColdFusion directory through web application firewalls (WAFs) or proxy servers. Configure WAF rules to block requests containing suspicious path traversal patterns (e.g., '../'). Regularly review and harden ColdFusion configuration settings to minimize the attack surface. After upgrading, verify the fix by attempting to access files outside the intended directory through a web browser or other HTTP client; access should be denied.
Adobe recomienda actualizar a una versión corregida de ColdFusion, como 2025.6 o posterior, para mitigar la vulnerabilidad de recorrido de ruta. Consulte la página de Adobe Security Advisory para obtener instrucciones detalladas sobre cómo aplicar la actualización y obtener más información sobre la vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34619 is a Path Traversal vulnerability affecting ColdFusion versions 0.0.0–2025.6, allowing attackers to access unauthorized files.
If you are running ColdFusion versions 0.0.0 through 2025.6, you are potentially affected by this vulnerability.
Upgrade to ColdFusion version 2025.6 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, so vigilance is advised.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/CVE-2026-34619.html](https://www.adobe.com/security/advisories/CVE-2026-34619.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.