CVE-2025-54261

CWE-22Path Traversal4 documents4 sources
Severity
10.0CRITICAL
EPSS
2.5%
top 14.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Adobe Coldfusion
Timeline
PublishedSep 9

Description

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker. The victim must have optional configurations enabled. Scope is changed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

CVEListV5adobe/coldfusion2021.21
NVDadobe/coldfusion2021, 2023, 2025+2

🔴Vulnerability Details

2
CVEList
ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)2025-09-09
GHSA
GHSA-jprg-rppq-7hjg: ColdFusion versions 20252025-09-09
CVE-2025-54261 (CRITICAL CVSS 10) | ColdFusion versions 2025.3 | cvebase.io