anonhaven
Ad

CVE-2026-27305

HIGH CVSS 3.1: 8.6
Updated Apr 16, 2026
Adobe
Parameter Value
CVSS 8.6 (HIGH)
Type CWE-22 (Path Traversal)
Vendor Adobe
Public PoC No

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal

Vulnerable Products 26

Configuration From (including) Up to (excluding)
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:*
Adobe Coldfusion
cpe:2.3:a:adobe:coldfusion:2025:update6:*:*:*:*:*:*

References 1

https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html
psirt@adobe.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34619

Adobe

7.7

CVE-2026-27308

Adobe

2.4

CVE-2026-27307

Adobe

2.4

CVE-2026-27306

Adobe

8.4

CVE-2026-27304

Adobe

9.3