Improper XML External Entity Reference in Adobe ColdFusion
CVE-2026-47960
7.4HIGH
What is CVE-2026-47960?
Adobe ColdFusion versions 2023.19 and 2025.8, along with earlier releases, contain a security flaw related to improper restriction of XML External Entity (XXE) references. This vulnerability enables potential attackers to exploit the system by reading arbitrary files in the server's file system. To execute this attack, a user would have to interact by opening a specially crafted file that initiates the exploit. Consequently, sensitive files and directories may be exposed due to this weakness, highlighting the importance of securing user interactions to prevent unauthorized file access.
Affected Version(s)
ColdFusion 0 <= 2025.8