High severity8.6NVD Advisory· Published Sep 1, 2016· Updated May 6, 2026

CVE-2016-4264

Description

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected products

Adobe Inc./Coldfusion2 versions
cpe:2.3:a:adobe:coldfusion:*:update10:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:coldfusion:*:update10:*:*:*:*:*:*range: <=11.0
- cpe:2.3:a:adobe:coldfusion:*:update21:*:*:*:*:*:*range: <=10.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txtnvdExploitThird Party Advisory
helpx.adobe.com/security/products/coldfusion/apsb16-30.htmlnvdVendor Advisory
www.securityfocus.com/archive/1/539374/100/0/threadednvd
www.securityfocus.com/bid/92684nvd
www.securitytracker.com/id/1036708nvd
www.exploit-db.com/exploits/40346/nvd

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.044
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000