CVE-2025-49542

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.2MEDIUM

EPSS

0.1%

top 66.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Coldfusion

Timeline

PublishedJul 8

Description

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser, scope is changed. The vulnerable component is restricted to internal IP addresses.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5adobe/coldfusion2021.20

▶NVDadobe/coldfusion2021, 2023, 2025+2

🔴Vulnerability Details

GHSA

GHSA-9qm8-mr39-vjwc: ColdFusion versions 2025↗2025-07-08

▶

CVEList

ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)↗2025-07-08

▶