Cyber Resilience

CVE-2026-34619

High

Published: 14 April 2026

Published
14 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0008 23.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34619 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34619 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified as path traversal (CWE-22), affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. This issue enables a security feature bypass, allowing attackers to access unauthorized files or directories outside the intended restrictions. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) and was published on 2026-04-14T22:16:31.680.

Attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation in a scoped context leads to high impact on availability, facilitating the bypass of security restrictions to reach files or directories beyond authorized boundaries.

The Adobe Product Security Bulletin APSB26-38 provides details on mitigation, including available patches, at https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html.

EU & UK References

Vulnerability details

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files…

more

or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remotely exploitable path traversal vulnerability in Adobe ColdFusion (a public-facing web application server), directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-61811Same product: Adobe Coldfusion
CVE-2025-54261Same product: Adobe Coldfusion
CVE-2026-27305Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion
CVE-2025-61809Same product: Adobe Coldfusion
CVE-2025-49535Same product: Adobe Coldfusion
CVE-2025-61808Same product: Adobe Coldfusion
CVE-2025-61813Same product: Adobe Coldfusion

Affected Assets

adobe
coldfusion
2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses path traversal by requiring validation of pathname inputs to block access to unauthorized files and directories.

prevent

Mandates timely remediation of the specific flaw in ColdFusion through patching as recommended in APSB26-38 to eliminate the vulnerability.

prevent

Enforces logical access controls to restrict file and directory access beyond the application's intended boundaries despite traversal attempts.

References