CVE Catalog

CVE-2026-48313

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

A Path Traversal vulnerability in ColdFusion versions 2025.9, 2023.20 and earlier allows unauthorized file system read and limited write access outside the intended directory. An attacker can exploit this without user interaction, gaining access to sensitive files.

Risk Assessment

The risk includes exposure of confidential configuration files, user data, or source code, as well as potential modification of selected files, which could lead to further attack escalation.

Recommendation

Immediately update ColdFusion to version 2025.10 or later (for the 2025 branch) and 2023.21 or later (for the 2023 branch). In the meantime, restrict server access and monitor logs for suspicious requests.

Original NVD description (English source)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS