CVE-2026-27305

High

Published: 14 April 2026

Published

14 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0018 38.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files…

and directories outside the intended access scope. Exploitation of this issue does not require user interaction.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediating the specific path traversal flaw in ColdFusion via timely patching directly prevents arbitrary file system reads as recommended in APSB26-38.

SI-10 Information Input Validation good match

prevent

Validating user-supplied path inputs against whitelists or sanitizing traversal sequences like '../' prevents exploitation of the improper pathname limitation.

AC-3 Access Enforcement partial match

prevent

Enforcing strict access controls on file system resources limits reads to authorized directories, providing defense-in-depth against path traversal attempts.

Security SummaryAI

CVE-2026-27305 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22, affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. This path traversal flaw allows arbitrary file system reads, enabling attackers to access sensitive files and directories beyond the intended scope. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact in a scoped context.

Any unauthenticated attacker with network access to a vulnerable ColdFusion instance can exploit this issue remotely without user interaction. Successful exploitation grants read access to arbitrary files on the server, potentially exposing configuration files, source code, credentials, or other sensitive data outside the application's restricted directories.

The official mitigation guidance is provided in Adobe Product Security Bulletin APSB26-38 at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html, which details available patches and recommended remediation steps for affected versions.

Details

CWE(s): CWE-22

Affected Products

adobe

coldfusion

2023, 2025

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing ColdFusion (T1190) allows arbitrary file reads from local system (T1005), exposing sensitive data including credentials in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html
Vendor Advisory · psirt@adobe.com