Cyber Resilience

CVE-2026-27305

High

Published: 14 April 2026

Published
14 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.2896 97.9th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-27305 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27305 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22, affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. This path traversal flaw allows arbitrary file system reads, enabling attackers to access sensitive files and directories beyond the intended scope. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact in a scoped context.

Any unauthenticated attacker with network access to a vulnerable ColdFusion instance can exploit this issue remotely without user interaction. Successful exploitation grants read access to arbitrary files on the server, potentially exposing configuration files, source code, credentials, or other sensitive data outside the application's restricted directories.

The official mitigation guidance is provided in Adobe Product Security Bulletin APSB26-38 at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html, which details available patches and recommended remediation steps for affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files…

more

and directories outside the intended access scope. Exploitation of this issue does not require user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Path traversal in public-facing ColdFusion (T1190) allows arbitrary file reads from local system (T1005), exposing sensitive data including credentials in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61811Same product: Adobe Coldfusion
CVE-2025-54261Same product: Adobe Coldfusion
CVE-2026-34619Same product: Adobe Coldfusion
CVE-2025-61821Same product: Adobe Coldfusion
CVE-2025-61813Same product: Adobe Coldfusion
CVE-2025-49535Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2025-61809Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion

Affected Assets

adobe
coldfusion
2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific path traversal flaw in ColdFusion via timely patching directly prevents arbitrary file system reads as recommended in APSB26-38.

prevent

Validating user-supplied path inputs against whitelists or sanitizing traversal sequences like '../' prevents exploitation of the improper pathname limitation.

prevent

Enforcing strict access controls on file system resources limits reads to authorized directories, providing defense-in-depth against path traversal attempts.

References