Cyber Posture

CVE-2026-34619

High

Published: 14 April 2026

Published
14 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0007 21.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34619 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses path traversal by requiring validation of pathname inputs to block access to unauthorized files and directories.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific flaw in ColdFusion through patching as recommended in APSB26-38 to eliminate the vulnerability.

AC-3 Access Enforcement partial match
prevent

Enforces logical access controls to restrict file and directory access beyond the application's intended boundaries despite traversal attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remotely exploitable path traversal vulnerability in Adobe ColdFusion (a public-facing web application server), directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files…

more

or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.

Deeper analysisAI

CVE-2026-34619 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified as path traversal (CWE-22), affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. This issue enables a security feature bypass, allowing attackers to access unauthorized files or directories outside the intended restrictions. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) and was published on 2026-04-14T22:16:31.680.

Attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation in a scoped context leads to high impact on availability, facilitating the bypass of security restrictions to reach files or directories beyond authorized boundaries.

The Adobe Product Security Bulletin APSB26-38 provides details on mitigation, including available patches, at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html.

Details

CWE(s)
CWE-22

Affected Products

adobe
coldfusion
2023, 2025

CVEs Like This One

CVE-2025-61811Same product: Adobe Coldfusion
CVE-2025-54261Same product: Adobe Coldfusion
CVE-2026-27305Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2025-61809Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion
CVE-2025-61813Same product: Adobe Coldfusion
CVE-2025-61808Same product: Adobe Coldfusion
CVE-2025-49535Same product: Adobe Coldfusion

References