VYPR

Coldfusion

by Adobe Inc.

Source repositories

CVEs (222)

  • CVE-2026-27305HigApr 14, 2026
    risk 0.56cvss 8.6epss 0.29

    ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files…

  • CVE-2026-47931HigJun 9, 2026
    risk 0.55cvss 8.4epss 0.01

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

  • CVE-2026-47929HigJun 9, 2026
    risk 0.55cvss 8.4epss 0.08

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or…

  • CVE-2026-27306HigApr 14, 2026
    risk 0.55cvss 8.4epss 0.00

    ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user…

  • CVE-2026-47930HigJun 9, 2026
    risk 0.53cvss 8.1epss 0.00

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write…

  • CVE-2025-61813HigDec 10, 2025
    risk 0.53cvss 8.2epss 0.00

    ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the…

  • CVE-2018-4938HigMay 19, 2018
    risk 0.51cvss 7.8epss 0.01

    Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Insecure Library Loading vulnerability. Successful exploitation could lead to local privilege escalation.

  • CVE-2026-34619HigApr 14, 2026
    risk 0.50cvss 7.7epss 0.09

    ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized…

  • CVE-2026-27282HigApr 14, 2026
    risk 0.49cvss 7.5epss 0.01

    ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this…

  • CVE-2018-15964HigSep 25, 2018
    risk 0.49cvss 7.5epss 0.08

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a use of a component with a known vulnerability vulnerability. Successful exploitation could lead to information disclosure.

  • CVE-2018-15960HigSep 25, 2018
    risk 0.49cvss 7.5epss 0.06

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a use of a component with a known vulnerability vulnerability. Successful exploitation could lead to arbitrary file overwrite.

  • CVE-2018-4942HigMay 19, 2018
    risk 0.49cvss 7.5epss 0.04

    Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure.

  • CVE-2017-11286HigDec 1, 2017
    risk 0.49cvss 7.5epss 0.08

    Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

  • CVE-2026-47960HigJun 9, 2026
    risk 0.48cvss 7.4epss 0.00

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories…

  • CVE-2018-4941MedMay 19, 2018
    risk 0.40cvss 6.1epss 0.02

    Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure.

  • CVE-2018-4940MedMay 19, 2018
    risk 0.40cvss 6.1epss 0.02

    Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure.

  • CVE-2017-11285MedDec 1, 2017
    risk 0.40cvss 6.1epss 0.03

    Adobe ColdFusion has a cross-site scripting (XSS) vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

  • CVE-2017-3008MedApr 27, 2017
    risk 0.40cvss 6.1epss 0.03

    Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a reflected cross-site scripting vulnerability.

  • CVE-2016-4159MedJun 16, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 20, 11 before Update 9, and 2016 before Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-1113MedMay 11, 2016
    risk 0.40cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Page 2 of 12