Adobe ColdFusion Web application server since 1995. Tag or script based programming language CFML.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Adobe ColdFusion.
Recent Adobe ColdFusion Security Advisories
| Advisory | Title | Published |
|---|---|---|
| APSB26-12 | Security updates available for Adobe ColdFusion | APSB26-12 | January 13, 2026 |
| APSB25-105 | Security updates available for Adobe ColdFusion | APSB25-105 | December 9, 2025 |
| APSB25-93 | Security updates available for Adobe ColdFusion | APSB25-93 | September 9, 2025 |
| APSB25-69 | Security updates available for Adobe ColdFusion | APSB25-69 | July 8, 2025 |
| APSB25-52 | Security updates available for Adobe ColdFusion | APSB25-52 | May 13, 2025 |
| APSB25-15 | Security updates available for Adobe ColdFusion | APSB25-15 | April 8, 2025 |
| APSB24-107 | Security updates available for Adobe ColdFusion | APSB24-107 | December 23, 2024 |
| APSB24-71 | Security updates available for Adobe ColdFusion | APSB24-71 | September 10, 2024 |
| APSB24-41 | Security updates available for Adobe ColdFusion | APSB24-41 | June 11, 2024 |
| APSB24-14 | Security updates available for Adobe ColdFusion | APSB24-14 | March 12, 2024 |
Known Exploited Adobe ColdFusion Vulnerabilities
The following Adobe ColdFusion vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Adobe ColdFusion Deserialization Vulnerability |
Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution. CVE-2017-3066 Exploit Probability: 93.4% |
February 24, 2025 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. CVE-2024-20767 Exploit Probability: 94.1% |
December 16, 2024 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-29300 Exploit Probability: 93.8% |
January 8, 2024 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-38203 Exploit Probability: 94.3% |
January 8, 2024 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could result in code execution in the context of the current user. CVE-2023-26359 Exploit Probability: 85.9% |
August 21, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-29298 Exploit Probability: 94.3% |
July 20, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-38205 Exploit Probability: 94.3% |
July 20, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. CVE-2023-26360 Exploit Probability: 94.3% |
March 15, 2023 |
| Adobe ColdFusion Directory Traversal Vulnerability |
A directory traversal vulnerability exists in the administrator console in Adobe ColdFusion which allows remote attackers to read arbitrary files. CVE-2010-2861 Exploit Probability: 94.2% |
March 25, 2022 |
| Adobe ColdFusion Information Disclosure Vulnerability |
Adobe Coldfusion contains an unspecified vulnerability, which could result in information disclosure from a compromised server. CVE-2013-0631 Exploit Probability: 75.3% |
March 7, 2022 |
| Adobe ColdFusion Directory Traversal Vulnerability |
Adobe Coldfusion contains a directory traversal vulnerability, which could permit an unauthorized user access to restricted directories. CVE-2013-0629 Exploit Probability: 80.9% |
March 7, 2022 |
| Adobe ColdFusion Authentication Bypass Vulnerability |
Adobe Coldfusion contains an authentication bypass vulnerability, which could result in an unauthorized user gaining administrative access. CVE-2013-0625 Exploit Probability: 86.6% |
March 7, 2022 |
| Adobe ColdFusion Authentication Bypass Vulnerability |
An authentication bypass vulnerability exists in Adobe ColdFusion which could result in an unauthorized user gaining administrative access. CVE-2013-0632 Exploit Probability: 92.2% |
March 3, 2022 |
| Adobe ColdFusion Deserialization of Untrusted Data vulnerability |
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution. CVE-2018-4939 Exploit Probability: 77.0% |
November 3, 2021 |
| Adobe ColdFusion Remote Code Execution |
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. CVE-2018-15961 Exploit Probability: 94.4% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 13 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 2 known exploited Adobe ColdFusion vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Adobe ColdFusion. Here are some end of life, and end of support dates for Adobe ColdFusion.
| Release | EOL Date | End of Extended Support | Status |
|---|---|---|---|
| 2025 | April 8, 2030 | April 8, 2031 |
Active
Adobe ColdFusion 2025 will become EOL in 4 years (in 2030). |
| 2023 | May 16, 2028 | May 16, 2029 |
Active
Adobe ColdFusion 2023 will become EOL in two years (in 2028). |
| 2021 | November 10, 2025 | November 10, 2026 |
EOL
Adobe ColdFusion 2021 became EOL in 2025 and the extended support period ends in 2026. |
| 2018 | July 13, 2023 | July 13, 2024 |
EOL
Adobe ColdFusion 2018 became EOL in 2023 and the extended support period ended in 2024. |
| 2016 | February 17, 2021 | February 17, 2022 |
EOL
Adobe ColdFusion 2016 became EOL in 2021 and the extended support period ended in 2022. |
| 11 | April 30, 2019 | April 30, 2021 |
EOL
Adobe ColdFusion 11 became EOL in 2019 and the extended support period ended in 2021. |
| 10 | May 16, 2017 | May 16, 2019 |
EOL
Adobe ColdFusion 10 became EOL in 2017 and the extended support period ended in 2019. |
Extended Support differs by vendor, and may cost additional fees. Check with Adobe to see how they define extended support.
By the Year
In 2026 there have been 0 vulnerabilities in Adobe ColdFusion. Last year, in 2025 ColdFusion had 51 security vulnerabilities published. Right now, ColdFusion is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 51 | 7.42 |
| 2024 | 6 | 7.63 |
| 2023 | 18 | 7.80 |
| 2022 | 14 | 7.99 |
| 2021 | 4 | 5.45 |
| 2020 | 7 | 7.67 |
| 2019 | 10 | 9.20 |
| 2018 | 14 | 7.99 |
It may take a day or so for new ColdFusion vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe ColdFusion Security Vulnerabilities
ColdFusion 2025.4/2023.16/2021.22 Unrestricted Upload Enables Remote Code Exec
CVE-2025-61808
9.1 - Critical
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and scope is changed.
Unrestricted File Upload
Adobe ColdFusion XXE file read (2025.4/2023.16/2021.22)
CVE-2025-61813
8.2 - High
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed.
XXE
ColdFusion <2025.4 Improper Input Validation Arbitrary Code Exec
CVE-2025-61812
8.4 - High
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. Exploitation of this issue does not require user interaction.
Improper Input Validation
ColdFusion Credential Exposure 2025.4 & Earlier: Unprotected Credentials
CVE-2025-64898
4.3 - Medium
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction.
Insufficiently Protected Credentials
Adobe ColdFusion XXE leads to FS read before 2025.4
CVE-2025-61821
6.8 - Medium
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue does not require user interaction and scope is changed.
XXE
Adobe ColdFusion 2025.4/2023.16/2021.22 Deserialization RCE (Untrusted Data)
CVE-2025-61810
8.4 - High
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could exploit this vulnerability by providing maliciously crafted serialized data to the application. Exploitation of this issue requires user interaction and scope is changed.
Marshaling, Unmarshaling
ColdFusion 2025.4/2023.16/2021.22 Improper Input Validation Security Bypass
CVE-2025-61809
9.1 - Critical
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction and scope is unchanged.
Improper Input Validation
ColdFusion Improper Input Validation allows arbitrary FS write ( 2025.4)
CVE-2025-61822
6.2 - Medium
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system. Exploitation of this issue does not require user interaction and scope is changed.
Improper Input Validation
ColdFusion <2025.4 Improper Access Control: Unauthorized Write Access
CVE-2025-64897
5.6 - Medium
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write access potentially resulting in denial of service. Exploitation of this issue requires user interaction.
Authorization
ColdFusion XXE Vulnerability before 2025.4 allows file read
CVE-2025-61823
6.2 - Medium
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed.
XXE
Adobe ColdFusion <2025.4 Improper Acc Control Allows Exec
CVE-2025-61811
9.1 - Critical
- December 09, 2025
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could leverage this vulnerability to bypass security measures and execute malicious code. Exploitation of this issue does not require user interaction and scope is changed.
Directory traversal
Apache Tika XXE prior 3.2.2 & 1.28.5 (tika-core, pdf-module, parsers)
CVE-2025-66516
8.4 - High
- December 04, 2025
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
XXE
Adobe Pass 3.7.3 - Incorrect Authorization (CVE-2025-61830)
CVE-2025-61830
7.1 - High
- November 11, 2025
Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK.
AuthZ
ColdFusion CVE-2025-54261: Path Traversal before 2025.3
CVE-2025-54261
10 - Critical
- September 09, 2025
ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker. The victim must have optional configurations enabled. Scope is changed.
Directory traversal
ColdFusion SSRF (SSRF in ColdFusion 2025.1/2023.13/2021.19)
CVE-2025-54234
2.7 - Low
- August 18, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to limited file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
SSRF
ColdFusion XXE Bypass (pre-2025.2)
CVE-2025-49535
9.3 - Critical
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
XXE
ColdFusion 2025.2/2023.14/2021.20 Auth Bypass via Internal IPs
CVE-2025-49536
7.3 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
AuthZ
Adobe ColdFusion OS Command Injection before 2025.2 (ColdFusion)
CVE-2025-49537
7.9 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
Shell injection
ColdFusion XML Injection: Arbitrary FS Read (2025.2/2023.14/2021.20)
CVE-2025-49538
7.4 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
aka Blind XPath Injection
ColdFusion XXE to Bypass Internal IP Restrictions Before 2025.2
CVE-2025-49539
4.5 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
XXE
ColdFusion <=2025.2 XSS via internal form fields
CVE-2025-49540
4.3 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.
XSS
ColdFusion XSS in Form Fields (<=2025.2) – High-Privileged Attack Path
CVE-2025-49541
4.3 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.
XSS
ColdFusion 2025.2/23.14/21.20 Reflected XSS via internal IP
CVE-2025-49542
5.2 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser, scope is changed. The vulnerable component is restricted to internal IP addresses.
XSS
ColdFusion 2025.2/23.14/21.20 XSS in form fields (internal IP only)
CVE-2025-49543
4.3 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.
XSS
ColdFusion XXE Bypass in v2025.2, 2023.14, 2021.20/earlier
CVE-2025-49544
6.8 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.
XXE
ColdFusion SSRF File Read (Pre-2025.2)
CVE-2025-49545
6.2 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
SSRF
Adobe ColdFusion Improper Access Control – CVE-2025-49546 (Pre-2025.2)
CVE-2025-49546
2.4 - Low
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to partially disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses.
Authorization
Adobe ColdFusion 2025.2/2023.14/2021.20 UHC Hard-Coded Credential Escalation
CVE-2025-49551
8.8 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
Use of Hard-coded Credentials
ColdFusion Improper Input Validation (CVE-2025-43560) -> Arbitrary Code Exec
CVE-2025-43560
9.1 - Critical
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
Improper Input Validation
ColdFusion IIV Code Execution 2025.1 & Earlier
CVE-2025-43559
9.1 - Critical
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
Improper Input Validation
ColdFusion <=2025.1 Incorrect Auth Code Execution
CVE-2025-43561
9.1 - Critical
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass authentication mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
AuthZ
ColdFusion OS Command Injection in 2025.1-2021.19 (CVE-2025-43562)
CVE-2025-43562
9.1 - Critical
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
Shell injection
ColdFusion Improper Access Control: Arbitrary Filesystem Read (pre-2025.1)
CVE-2025-43564
9.1 - Critical
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, and scope is changed
AuthZ
ColdFusion 2025.1/2023.13/2021.19 - Incorrect Auth -> Arbitrary Code Exec
CVE-2025-43565
8.4 - High
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.
AuthZ
Adobe ColdFusion Improper Access Control CA-Read File 2025.1
CVE-2025-43563
9.1 - Critical
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, and scope is changed.
Authorization
Adobe ColdFusion <=2025 Path Traversal (CVE-2025-43566)
CVE-2025-43566
6.8 - Medium
- May 13, 2025
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitation of this issue does not require user interaction and scope is changed.
Directory traversal
Improper Input Validation in Adobe ColdFusion <2023.12 Enables RCE with Admin Privileges
CVE-2025-24446
9.1 - Critical
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution. Exploitation of this issue does not require user interaction, but admin panel privileges are required, and scope is changed.
Improper Input Validation
ColdFusion Deserialization RCE before 2025.0
CVE-2025-24447
9.1 - Critical
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user resulting in a High impact to Confidentiality and Integrity. Exploitation of this issue does not require user interaction.
Marshaling, Unmarshaling
ColdFusion Improper Access Control (Arbitrary Code Exec) <2023.12
CVE-2025-30281
9.1 - Critical
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, and scope is changed.
Authorization
ColdFusion 2025.0 Improper Auth Bypass Enabling Arbitrary Code Exec
CVE-2025-30282
9.1 - Critical
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass authentication mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
authentification
ColdFusion <2025.0 Deserialization OF UD Vulnerability
CVE-2025-30284
8.4 - High
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.
Marshaling, Unmarshaling
ColdFusion 2023.12-2025.0 Deserialization Exploit (Arbitrary Code Exec)
CVE-2025-30285
8.4 - High
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.
Marshaling, Unmarshaling
ColdFusion OS Command Injection (<=2025.0) - Improper Neutralization
CVE-2025-30286
8.4 - High
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.
Shell injection
Improper Auth in ColdFusion 2025.0 and earlier: Code Exec
CVE-2025-30287
8.2 - High
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application and scope is changed.
authentification
Adobe ColdFusion OS Command Injection CVE-2025-30289 2023.12/2021.18/2025.0
CVE-2025-30289
8.2 - High
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application. Scope is changed.
Shell injection
Adobe ColdFusion Improper Access Control – Security Bypass Before 2025.0
CVE-2025-30288
8.2 - High
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application and scope is changed.
Authorization
ColdFusion Improper Input Validation (2023.12/2021.18/2025.0) Bypass
CVE-2025-30294
6.8 - Medium
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitation of this issue does not require user interaction and scope is changed.
Improper Input Validation
Adobe ColdFusion Improper Input Validation Bypass (2025.0 and prior)
CVE-2025-30293
6.8 - Medium
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized write access. Exploitation of this issue does not require user interaction and scope is changed.
Improper Input Validation
ColdFusion Before 2025.0 Info Exposure Bypass Vulnerability
CVE-2025-30291
5.5 - Medium
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. A low privileged attacker with local access could leverage this vulnerability to gain access to sensitive information which could be used to further compromise the system or bypass security mechanisms. Exploitation of this issue does not require user interaction.
Information Disclosure
Adobe ColdFusion Reflected XSS in URL before 2025.0
CVE-2025-30292
6.1 - Medium
- April 08, 2025
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Adobe ColdFusion or by Adobe? Click the Watch button to subscribe.
