Reflected Cross-Site Scripting Vulnerability in Lucee CFML Server
CVE-2026-29519
Key Information:
Badges
What is CVE-2026-29519?
The Lucee CFML Server versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x are vulnerable to a reflected cross-site scripting vulnerability due to improper input handling in URL path parsing. This flaw allows unauthenticated remote attackers to inject arbitrary JavaScript into the server's responses. Attackers can craft malicious URLs containing script content, which is reflected back to users visiting the link. If exploited, this could lead to session hijacking or unauthorized actions against the Lucee administrative interface, posing significant risks to users.
Affected Version(s)
Lucee 5.3.1.95 <= 7.0.0.395
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
