📦 Coldfusion
by Adobe
🔍 What is Coldfusion?
ColdFusion provides CFML (ColdFusion Markup Language) and CFScript languages with built-in functionality for database connectivity, PDF generation, file operations, email, XML/JSON processing, web services integration, and session management. Organizations use ColdFusion to build customer portals, content management systems, financial applications, healthcare systems, and enterprise resource planning (ERP) integrations, often serving as middleware between web frontends and backend databases (Oracle, SQL Server, MySQL) and enterprise systems.
Security vulnerabilities in Adobe ColdFusion are particularly severe due to the platform's deep system access, Java integration, and common deployment patterns exposing administrative interfaces to the internet. Critical vulnerability types include arbitrary file upload leading to remote code execution (RCE), authentication bypass in ColdFusion Administrator, deserialization flaws, path traversal enabling arbitrary file read/write, SQL injection through unsafe CFQUERY usage, and XML external entity (XXE) attacks. High-impact vulnerabilities frequently enable unauthenticated attackers to achieve complete server compromise, execute system commands, read sensitive files, and establish persistent backdoors.
Organizations running Adobe ColdFusion must treat security updates as critical, given the platform's history of severe vulnerabilities actively exploited in the wild. Hardening recommendations include removing or restricting access to ColdFusion Administrator, implementing web application firewalls (WAF), disabling unnecessary services, enforcing input validation, using parameterized queries to prevent SQL injection, restricting file upload functionality, network segmentation, and immediate patching when Adobe releases security updates. ColdFusion servers exposed to the internet face significant attack risk and should be prioritized for security monitoring and rapid patch deployment.
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
This vulnerability allows high-privileged attackers to upload dangerous file types to ColdFusion servers without authentication, potentially leading to remote code execution. It affects ColdFusion 202...
This CVE describes an Improper Input Validation vulnerability in Adobe ColdFusion that allows attackers to bypass security measures and gain unauthorized read/write access. Affected systems include Co...
This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion that allows high-privileged attackers to bypass security controls and execute arbitrary code without user interaction. A...
This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted directories and execute arbitrary code on affected systems. It affects ColdFusion 2025.3, 2023.15, ...
This XXE vulnerability in Adobe ColdFusion allows attackers to bypass security restrictions and access sensitive data or cause denial of service by exploiting improper XML parsing. It affects ColdFusi...
This CVE describes an improper input validation vulnerability in Adobe ColdFusion that allows authenticated high-privileged attackers to execute arbitrary code on affected systems. The vulnerability a...
This CVE describes an incorrect authorization vulnerability in Adobe ColdFusion that allows high-privileged attackers to bypass authentication mechanisms and execute arbitrary code in the context of t...
This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion that allows high-privileged attackers to read arbitrary files from the file system without authorization. The vulnerabil...
This CVE describes an improper authentication vulnerability in Adobe ColdFusion that allows high-privileged attackers to bypass authentication mechanisms and execute arbitrary code without user intera...
This CVE describes a deserialization vulnerability in Adobe ColdFusion that allows attackers to execute arbitrary code without user interaction. Systems running ColdFusion versions 2023.12, 2021.18, 2...
This vulnerability allows attackers to execute arbitrary code on Adobe ColdFusion servers by sending maliciously crafted data that gets improperly deserialized. All ColdFusion installations running af...
This vulnerability allows attackers to execute arbitrary code on Adobe ColdFusion servers by sending maliciously crafted data that gets improperly deserialized. It affects ColdFusion 2023.5 and earlie...
This vulnerability allows remote attackers to execute arbitrary code on Adobe ColdFusion servers without authentication or user interaction. It affects all ColdFusion installations running vulnerable ...
CVE-2023-38203 is a critical deserialization vulnerability in Adobe ColdFusion that allows attackers to execute arbitrary code without user interaction. This affects ColdFusion 2018, 2021, and 2023 ve...
This vulnerability allows attackers to execute arbitrary code on Adobe ColdFusion servers by exploiting insecure deserialization of untrusted data. It affects ColdFusion 2018, 2021, and 2023 versions ...
CVE-2023-26359 is a critical deserialization vulnerability in Adobe ColdFusion that allows attackers to execute arbitrary code without user interaction. This affects ColdFusion 2018 Update 15 and earl...
This vulnerability allows attackers to execute arbitrary code on ColdFusion servers by sending malicious serialized data. It affects ColdFusion 2025.4, 2023.16, 2021.22 and earlier versions. Exploitat...
This CVE describes an improper input validation vulnerability in Adobe ColdFusion that allows high-privileged attackers to execute arbitrary code without user interaction. Affected systems include Col...
This XXE vulnerability in Adobe ColdFusion allows attackers to read arbitrary files from the server filesystem without authentication. All ColdFusion installations running affected versions are vulner...
Adobe ColdFusion contains hard-coded credentials that could allow attackers to escalate privileges without user interaction. This affects ColdFusion 2025.2, 2023.14, 2021.20 and earlier versions. The ...
This CVE describes an OS command injection vulnerability in Adobe ColdFusion that allows authenticated high-privileged attackers to execute arbitrary commands on the server. The vulnerability affects ...
This CVE describes an incorrect authorization vulnerability in Adobe ColdFusion that allows high-privileged attackers to bypass security controls and execute arbitrary code. Affected versions include ...
This CVE describes a deserialization vulnerability in Adobe ColdFusion that allows arbitrary code execution when untrusted data is processed. Attackers with high privileges can exploit this to bypass ...
This CVE describes an improper authentication vulnerability in Adobe ColdFusion that allows low-privileged local attackers to bypass security controls and execute arbitrary code. Attackers must trick ...
This CVE describes an OS command injection vulnerability in Adobe ColdFusion that allows authenticated attackers with local access to execute arbitrary commands on the server. Attackers need to trick ...
This path traversal vulnerability in Adobe ColdFusion allows attackers to read arbitrary files from the server's filesystem when the admin panel is internet-accessible. Affected versions include ColdF...
This CVE describes an improper authentication vulnerability in Adobe ColdFusion that allows attackers to bypass authentication mechanisms and escalate privileges. Affected systems include ColdFusion 2...
This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion that allows unauthenticated attackers to read arbitrary files from the server's file system. Affected systems include Co...
This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion that allows attackers to read arbitrary files from the file system without authentication. The vulnerability affects Col...
This vulnerability allows unauthenticated attackers to bypass security controls and access ColdFusion administration endpoints (CFM/CFC files). Adobe ColdFusion versions 2023.5 and earlier, and 2021.1...
This vulnerability allows attackers to bypass security controls in Adobe ColdFusion and access administration endpoints without authentication. It affects ColdFusion 2018, 2021, and 2023 versions befo...
This vulnerability in Adobe ColdFusion installer allows unprivileged users to create files in the default installation directory due to insecure ACL settings. This can lead to privilege escalation whe...
This XXE vulnerability in ColdFusion allows attackers to read arbitrary files from the server's filesystem without user interaction. It affects ColdFusion 2025.4, 2023.16, 2021.22 and earlier versions...
This CVE describes an Improper Input Validation vulnerability in Adobe ColdFusion that allows attackers to write arbitrary files to the file system without user interaction. The vulnerability affects ...
This XXE vulnerability in Adobe ColdFusion allows high-privileged attackers to read arbitrary files from the server filesystem when they can submit malicious XML input. Affected versions include ColdF...
This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion where low-privileged authenticated users can bypass security controls to gain limited unauthorized write access, potenti...
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier have an insufficient credential protection vulnerability that allows attackers to gain unauthorized write access by exploiting improperly store...
This stored Cross-Site Scripting (XSS) vulnerability in Adobe ColdFusion allows high-privileged attackers to inject malicious JavaScript into vulnerable form fields. When victims browse pages containi...
This stored XSS vulnerability in Adobe ColdFusion allows high-privileged attackers to inject malicious JavaScript into vulnerable form fields. When victims browse pages containing these fields, their ...
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Adobe ColdFusion that allows high-privilege authenticated attackers to force the application to make arbitrary requests to inte...
This XXE vulnerability in Adobe ColdFusion allows high-privileged attackers to bypass security restrictions and access sensitive information without user interaction. The vulnerability affects ColdFus...
This CVE describes an information exposure vulnerability in Adobe ColdFusion that allows low-privileged local attackers to access sensitive information. The exposed data could enable further system co...
This CVE describes an Improper Input Validation vulnerability in Adobe ColdFusion that allows high-privileged attackers to bypass security protections and gain unauthorized write access. Affected vers...
This vulnerability allows authenticated administrators in Adobe ColdFusion to read arbitrary files on the server through path traversal. Attackers with admin access can bypass directory restrictions a...