CVE-2026-47960: ColdFusion XXE Vulnerability Allows Arbitrary File Read
Adobe ColdFusion versions 2023.19, 2025.8 and earlier contain an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files from the server's file system. The vulnerability requires a victim to open a malicious file, making it a targeted attack vector. Once exploited, an attacker gains unauthorized access to sensitive data stored on the affected system, but cannot modify files or disrupt service availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-611
- Affected products
- 29 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47960 is an Improper Restriction of XML External Entity Reference vulnerability (CWE-611) in ColdFusion. The flaw stems from inadequate validation of XML input, permitting attackers to craft malicious XML documents that reference external entities. When a ColdFusion application processes such a document, it resolves the external entity reference and returns file contents to the attacker. The CVSS 3.1 vector (7.4 HIGH, AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N) reflects network-accessible exploitation, no special privileges required, user interaction as a necessary precondition, cross-boundary scope change, and high confidentiality impact with no integrity or availability compromise.
Business impact
Exploitation of this XXE vulnerability could result in unauthorized disclosure of sensitive application data, configuration files, credentials, or proprietary information stored on affected ColdFusion servers. For organizations relying on ColdFusion for customer-facing or data-processing applications, this represents a material data breach risk. The social engineering requirement (malicious file delivery) makes this particularly relevant to organizations where employees handle untrusted file uploads or external document processing. Data exposure could lead to compliance violations, reputational damage, and regulatory penalties depending on industry and data classification.
Affected systems
Adobe ColdFusion versions 2023.19, 2025.8 and earlier are vulnerable. This encompasses multiple ColdFusion release branches across both recent and legacy versions. Organizations should identify all deployed ColdFusion instances and cross-reference their version numbers against these affected ranges to determine exposure scope.
Exploitability
The vulnerability requires user interaction—a victim must open or process a malicious XML file within ColdFusion. There is no network-based unauthenticated remote code execution path. Exploitability depends on social engineering or file upload mechanisms within an organization's workflows. The attack surface is meaningful for organizations that accept XML uploads, process XML documents via web forms, or share files through internal systems. However, the user-interaction requirement provides a defensive control opportunity: user awareness and file validation policies can significantly reduce practical risk.
Remediation
Upgrade affected ColdFusion installations to a patched version released by Adobe. Adobe typically publishes patches in security bulletins; verify the exact patched version numbers against the official Adobe ColdFusion security advisory. Interim mitigations include disabling XML external entity processing where possible, restricting file upload capabilities to trusted sources, implementing XML input validation and schema enforcement, and educating users on phishing and malicious file risks.
Patch guidance
Contact Adobe or consult the Adobe ColdFusion Security Bulletin for definitive patch version information for your release branch. Patched versions should be tested in a non-production environment before production deployment to ensure application compatibility. Consider coordinating patches across your ColdFusion estate to maintain consistency and simplify future vulnerability management.
Detection guidance
Monitor ColdFusion application logs for XML parsing errors, unusual file access patterns, or XXE-related error messages. Network detection can focus on outbound connections from ColdFusion servers to unexpected external systems (a sign of blind XXE exfiltration). Endpoint detection should flag file access to sensitive system locations (e.g., /etc/passwd, configuration directories) initiated by ColdFusion processes. Web application firewalls can be configured to block or alert on suspicious XML payloads containing entity declarations or external references.
Why prioritize this
This vulnerability merits near-term patching due to its HIGH CVSS score (7.4), the prevalence of ColdFusion in enterprise environments, and the sensitivity of data at risk. While user interaction is required, many organizations handle file uploads or document processing workflows where an attacker could inject a malicious file. The cross-boundary scope change elevates impact beyond the application itself. Prioritize patching systems processing untrusted XML or handling sensitive data.
Risk score, explained
The CVSS 3.1 score of 7.4 (HIGH) reflects a network-accessible vulnerability requiring no privileges, with high confidentiality impact and cross-scope implications, tempered only by the need for user interaction. The score appropriately signals that this is a material risk requiring swift remediation, though not an immediate zero-day panic scenario given the social engineering component.
Frequently asked questions
Can this vulnerability be exploited remotely without user interaction?
No. The vulnerability requires a victim to open or process a malicious XML file. There is no unattended remote exploitation path. However, attackers can engineer social-engineering scenarios (phishing, file-sharing links, etc.) to increase the likelihood of a user handling a malicious file.
What types of files could an attacker read using this vulnerability?
An attacker can read any file accessible to the ColdFusion process, including system configuration files, database credentials, API keys, private keys, source code, and other sensitive data stored on the server. The scope and sensitivity depend on file permissions and the ColdFusion process's privilege level.
Is this vulnerability currently being exploited in the wild?
As of the vulnerability publication date (June 9, 2026), this issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, organizations should assume that public awareness will drive exploitation attempts; timely patching remains essential.
Can WAF or network segmentation reduce the risk?
Network controls cannot prevent this vulnerability if a user within your network receives a malicious file. However, restricting outbound connections from ColdFusion servers, disabling unnecessary file upload features, and implementing strict XML parsing policies can reduce attack surface and detectability.
This analysis is provided for informational purposes to support vulnerability management and security decision-making. Verify all patch version numbers and compatibility information directly with Adobe's official security bulletins before deployment. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment and testing in alignment with their security policies and compliance obligations. SEC.co makes no warranties regarding the completeness or accuracy of this information and assumes no liability for actions taken in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40991MEDIUMSpring REST Docs XXE Injection in Remote API Documentation
- CVE-2026-49383LOWIntelliJ IDEA UI Designer XML External Entity (XXE) Information Disclosure
- CVE-2026-8045MEDIUMXXE Information Disclosure in Schneider Electric StruxureWare Data Center Expert
- CVE-2026-34693HIGHAdobe Experience Manager Forms JEE Reflected XSS Vulnerability
- CVE-2026-34695HIGHAdobe InDesign Stack-Based Buffer Overflow RCE Vulnerability
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-34697HIGHAdobe InDesign Stack Overflow Vulnerability – Arbitrary Code Execution Risk
- CVE-2026-34698HIGHAdobe InDesign Heap Buffer Overflow (CVSS 7.8)