CVE-2026-27305
Published: 14 April 2026
Summary
CVE-2026-27305 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific path traversal flaw in ColdFusion via timely patching directly prevents arbitrary file system reads as recommended in APSB26-38.
Validating user-supplied path inputs against whitelists or sanitizing traversal sequences like '../' prevents exploitation of the improper pathname limitation.
Enforcing strict access controls on file system resources limits reads to authorized directories, providing defense-in-depth against path traversal attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing ColdFusion (T1190) allows arbitrary file reads from local system (T1005), exposing sensitive data including credentials in files (T1552.001).
NVD Description
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files…
more
and directories outside the intended access scope. Exploitation of this issue does not require user interaction.
Deeper analysisAI
CVE-2026-27305 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22, affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. This path traversal flaw allows arbitrary file system reads, enabling attackers to access sensitive files and directories beyond the intended scope. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact in a scoped context.
Any unauthenticated attacker with network access to a vulnerable ColdFusion instance can exploit this issue remotely without user interaction. Successful exploitation grants read access to arbitrary files on the server, potentially exposing configuration files, source code, credentials, or other sensitive data outside the application's restricted directories.
The official mitigation guidance is provided in Adobe Product Security Bulletin APSB26-38 at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html, which details available patches and recommended remediation steps for affected versions.
Details
- CWE(s)