Cyber Resilience

CVE-2026-47932

HighUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0762 93.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-47932 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

ColdFusion versions 2023.19, 2025.8 and earlier contain a path traversal vulnerability tracked as CWE-22. The flaw stems from improper limitation of pathnames to restricted directories and permits a security feature bypass that can expose files or directories outside intended boundaries.

An unauthenticated attacker on an adjacent network can leverage the issue by supplying a malicious file that a victim must open. Successful exploitation changes scope and yields high impact to confidentiality, integrity, and availability.

The referenced Adobe advisory at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html addresses mitigation steps and available patches for the affected ColdFusion releases. The associated EPSS score remains flat at 0.0762 with no material increase observed after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files…

more

or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Path traversal (CWE-22) in public-facing ColdFusion server directly enables remote file/directory access (T1005/T1083) and exploitation of the web app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

adobe
coldfusion
2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the CWE-22 path traversal by requiring validation of user-supplied filenames/paths before ColdFusion resolves them against restricted directories.

prevent

Enforces the intended file/directory access policy that the vulnerability bypasses when a victim opens the malicious file.

prevent

Prevents unauthorized information flows that result from the scope-changing path traversal into files outside the application's restricted directory.

References