CVE-2026-48314
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
A Path Traversal vulnerability in ColdFusion versions 2025.9, 2023.20 and earlier allows bypassing path restrictions. An attacker can gain limited read and write access to unauthorized files or directories outside intended restrictions. Exploitation does not require user interaction.
Risk Assessment
The organization is at risk of unauthorized access to sensitive configuration files or data, potentially leading to information disclosure or modification of critical assets.
Recommendation
Immediately update ColdFusion to version 2025.10 or 2023.21 (or later) as per vendor advisory. Restrict access to the ColdFusion server to trusted networks only.
Original NVD description (English source)
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.

