CVE-2026-48313
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
A Path Traversal vulnerability in ColdFusion versions 2025.9, 2023.20 and earlier allows unauthorized file system read and limited write access outside the intended directory. An attacker can exploit this without user interaction, gaining access to sensitive files.
Risk Assessment
The risk includes exposure of confidential configuration files, user data, or source code, as well as potential modification of selected files, which could lead to further attack escalation.
Recommendation
Immediately update ColdFusion to version 2025.10 or later (for the 2025 branch) and 2023.21 or later (for the 2023 branch). In the meantime, restrict server access and monitor logs for suspicious requests.
Original NVD description (English source)
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.

