{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34619", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-03-30T17:30:36.490Z", "datePublished": "2026-04-14T21:53:59.589Z", "dateUpdated": "2026-04-15T17:42:57.834Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "ColdFusion", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2025.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.7, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "LOW", "modifiedScope": "CHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "CHANGED", "temporalScore": 7.7, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T21:53:59.589Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"}], "source": {"discovery": "EXTERNAL"}, "title": "ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:42:48.737945Z", "id": "CVE-2026-34619", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:42:57.834Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction."}], "id": "CVE-2026-34619", "lastModified": "2026-04-15T16:14:07.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-04-14T22:16:31.680", "references": [{"source": "psirt@adobe.com", "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ColdFusion", "source": "cna", "vendor": "Adobe"}, "product": "coldfusion", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T23:51:15.069131+00:00", "value": {"mitigation_remediation": ["Apply the Adobe ColdFusion update that contains the path traversal fix.", "Sanitize and whitelist all user-supplied file paths to prevent directory traversal, ensuring only authorised directories are accessed.", "Enforce file system permissions and restrict web\u2011accessible directories to the minimum required set, reducing the potential impact of any remaining traversal attempts."], "summary": {"action": "Apply Patch", "impact": "Unauthorized file access"}, "threat_synthesis": {"affected_systems": "Adobe ColdFusion versions 2023.18, 2025.6, and all prior releases are affected by the path traversal defect.", "description_and_impact": "The vulnerability is an improper limitation of a pathname that allows a path traversal attack against Adobe ColdFusion. An attacker can supply crafted file path input to read files or directories that lie outside the intended restricted directory, thereby potentially exposing confidential system data. The flaw is a classic directory traversal flaw and would compromise files held by the application or the underlying operating system.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.7, indicating moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation does not require user interaction and can be performed remotely, for example through crafted HTTP requests to the application\u2019s file handling endpoints. The remote nature and lack of interaction requirement keep the risk significant for exposed systems."}}}}, "created": "2026-04-15T13:48:23.618060+00:00", "updated": "2026-04-15T14:31:57.026945+00:00", "vendors": ["adobe", "adobe$PRODUCT$coldfusion"]}