VYPR

Coldfusion

by Adobe Inc.

Source repositories

CVEs (222)

  • CVE-2010-2861CriKEVAug 11, 2010
    risk 0.93cvss 9.8epss 1.00

    Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3)…

  • CVE-2018-15961CriKEVSep 25, 2018
    risk 0.87cvss 9.8epss 1.00

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2017-3066CriKEVApr 27, 2017
    risk 0.86cvss 9.8epss 0.91

    Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

  • CVE-2013-0632CriKEVJan 17, 2013
    risk 0.86cvss 9.8epss 0.94

    administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web…

  • CVE-2013-0625CriKEVJan 9, 2013
    risk 0.86cvss 9.8epss 0.94

    Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.

  • CVE-2018-4939CriKEVMay 19, 2018
    risk 0.81cvss 9.8epss 0.63

    Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2009-3960MedKEVFeb 15, 2010
    risk 0.70cvss 6.5epss 0.90

    Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via…

  • CVE-2013-0629HigKEVJan 9, 2013
    risk 0.69cvss 7.5epss 0.66

    Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not configured, allows attackers to access restricted directories via unspecified vectors, as exploited in the wild in January 2013.

  • CVE-2017-11284CriDec 1, 2017
    risk 0.67cvss 9.8epss 0.43

    Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

  • CVE-2017-11283CriDec 1, 2017
    risk 0.67cvss 9.8epss 0.43

    Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

  • CVE-2018-15965CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.26

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2018-15959CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.26

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2018-15958CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.26

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2018-15957CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.28

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2013-0631HigKEVJan 9, 2013
    risk 0.66cvss 7.5epss 0.66

    Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 allows attackers to obtain sensitive information via unspecified vectors, as exploited in the wild in January 2013.

  • CVE-2016-4264HigSep 1, 2016
    risk 0.64cvss 8.6epss 0.69

    The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction…

  • CVE-2016-1114CriMay 11, 2016
    risk 0.64cvss 9.8epss 0.09

    Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

  • CVE-2026-47928CriJun 9, 2026
    risk 0.62cvss 9.6epss 0.09

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

  • CVE-2026-27304CriApr 14, 2026
    risk 0.60cvss 9.3epss 0.04

    ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

  • CVE-2026-47932HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.08

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized…

Page 1 of 12