Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered reflected XSS requiring victim to click a crafted link (UI:R); scope changes to victim browser (S:C), enabling session theft (C:L) and unauthorized admin actions (I:L); no server availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link.
AnalysisAI
Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively visit a crafted URL (CVSS 4.0 UI:A - active user interaction confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.2 (Medium) appropriately reflects the user-interaction requirement (UI:A), which is the primary mitigating factor: this is not a zero-click exploit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an internet-facing Lucee administrative interface and crafts a URL with a JavaScript payload embedded in the path segment (e.g., targeting the admin login or dashboard endpoint). The attacker delivers the link to a Lucee administrator via a phishing email or by embedding it in a forum post or issue tracker the admin is likely to visit. … |
| Remediation | No exact patched version is confirmed in the available intelligence data; organizations must monitor the VulnCheck advisory at https://www.vulncheck.com/advisories/lucee-cfml-server-reflected-xss-via-url-path-parsing and Lucee's official release channel for a security fix addressing CVE-2026-29519. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42906
GHSA-frv8-q5jq-3qhq