CVE-2026-47932
Published: 09 June 2026
Summary
CVE-2026-47932 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
ColdFusion versions 2023.19, 2025.8 and earlier contain a path traversal vulnerability tracked as CWE-22. The flaw stems from improper limitation of pathnames to restricted directories and permits a security feature bypass that can expose files or directories outside intended boundaries.
An unauthenticated attacker on an adjacent network can leverage the issue by supplying a malicious file that a victim must open. Successful exploitation changes scope and yields high impact to confidentiality, integrity, and availability.
The referenced Adobe advisory at https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html addresses mitigation steps and available patches for the affected ColdFusion releases. The associated EPSS score remains flat at 0.0762 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35832
Vulnerability details
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files…
more
or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal (CWE-22) in public-facing ColdFusion server directly enables remote file/directory access (T1005/T1083) and exploitation of the web app (T1190).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the CWE-22 path traversal by requiring validation of user-supplied filenames/paths before ColdFusion resolves them against restricted directories.
Enforces the intended file/directory access policy that the vulnerability bypasses when a victim opens the malicious file.
Prevents unauthorized information flows that result from the scope-changing path traversal into files outside the application's restricted directory.