CVE-2026-47932
published 2026-06-09CVE-2026-47932: ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability…
PriorityP263critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
7.62%
93.8th percentile
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | <= 2025.8 | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Adobe ColdFusion up to 2023.19/2025.8 path traversal (apsb26-64)
vuldb·2026-06-16·CVSS 9.6
CVE-2026-47932 [CRITICAL] Adobe ColdFusion up to 2023.19/2025.8 path traversal (apsb26-64)
A vulnerability was found in Adobe ColdFusion up to 2023.19/2025.8. It has been declared as critical. Affected by this issue is some unknown functionality. Executing a manipulation can lead to path traversal.
This vulnerability is handled as CVE-2026-47932. The attack can be executed remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
GHSA
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature
ghsa_unreviewed·2026-06-09
CVE-2026-47932 [HIGH] CWE-22 ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-09
Published