CVE-2025-49544

CWE-611XML External Entity (XXE)3 documents3 sources
Severity
6.8MEDIUM
EPSS
0.1%
top 68.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Adobe Coldfusion
Timeline
PublishedJul 8

Description

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NExploitability: 2.3 | Impact: 4.0

Affected Packages2 packages

CVEListV5adobe/coldfusion2021.20
NVDadobe/coldfusion2021, 2023, 2025+2

🔴Vulnerability Details

2
CVEList
ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)2025-07-08
GHSA
GHSA-hm59-jvm9-5vj7: ColdFusion versions 20252025-07-08
CVE-2025-49544 (MEDIUM CVSS 6.8) | ColdFusion versions 2025.2 | cvebase.io