Improper XML External Entity Reference in Adobe ColdFusion
CVE-2026-47960

7.4HIGH

Key Information:

Vendor

Adobe

Vendor
CVE Published:
9 June 2026

What is CVE-2026-47960?

Adobe ColdFusion versions 2023.19 and 2025.8, along with earlier releases, contain a security flaw related to improper restriction of XML External Entity (XXE) references. This vulnerability enables potential attackers to exploit the system by reading arbitrary files in the server's file system. To execute this attack, a user would have to interact by opening a specially crafted file that initiates the exploit. Consequently, sensitive files and directories may be exposed due to this weakness, highlighting the importance of securing user interactions to prevent unauthorized file access.

Affected Version(s)

ColdFusion 0 <= 2025.8

References

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.