What is the CVSS score of EUVD-2026-35831?

EUVD-2026-35831 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Adobe ColdFusion are affected by EUVD-2026-35831?

Adobe ColdFusion versions 2023.19, 2025.8, and earlier are vulnerable to remote, unauthenticated arbitrary file read attacks via malicious XML documents, enabling exfiltration of sensitive files,…

How to fix or mitigate EUVD-2026-35831?

Within 24 hours: Inventory all ColdFusion deployments and identify systems running versions 2023.19, 2025.8, or earlier; document system location and sensitivity level. Within 7 days: Implement file upload restrictions blocking XML from untrusted sources; apply least-privilege filesystem permissions to ColdFusion process accounts; educate users to avoid opening untrusted documents in the application. Within 30 days: Establish continuous monitoring of Adobe security bulletins for patched versions; develop and test upgrade plans to versions confirmed to remediate CVE-2026-47960.

Adobe ColdFusion EUVD-2026-35831

| CVE-2026-47960 HIGH

Improper Restriction of XML External Entity Reference (CWE-611)

2026-06-09 psirt@adobe.com

GHSA-3mwf-3w9j-82vf

XXE Coldfusion

7.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.4 HIGH

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 21:34 vuln.today

DescriptionNVD

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary file read in Adobe ColdFusion 2023.19, 2025.8 and earlier allows remote unauthenticated attackers to exfiltrate sensitive files from the host filesystem via a malicious XML document that a victim opens through the application. The scope-changed CVSS 7.4 reflects that exploitation can impact resources beyond ColdFusion's own security context, though success hinges on user interaction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious XML with external entity

Delivery

Deliver file to ColdFusion operator

Exploit

Victim opens or imports document

Execution

Parser resolves SYSTEM entity

Persist

Exfiltrate sensitive files cross-scope

Impact

Reuse credentials for follow-on compromise

Access

Craft malicious XML with external entity

Delivery

Deliver file to ColdFusion operator

Exploit

Victim opens or imports document

Execution

Parser resolves SYSTEM entity

Persist

Exfiltrate sensitive files cross-scope

Impact

Reuse credentials for follow-on compromise

Vulnerability AssessmentAI

Exploitation	Requires a victim with access to ColdFusion's XML-processing surface to open or import a malicious XML document supplied by the attacker (UI:R in the CVSS vector), with no authentication needed on the attacker's side since the payload itself carries the exploit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed and lean toward moderate, targeted risk rather than mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts an XML document containing an external entity declaration that points to a sensitive local file (e.g., <!ENTITY xxe SYSTEM "file:///opt/coldfusion/cfusion/lib/neo-security.xml">) and delivers it to a ColdFusion administrator or developer via email, support ticket attachment, or a tricked workflow on a CFC/WSDL import tool. When the victim opens or imports the file in ColdFusion, the parser resolves the entity and returns the file contents - typically administrator password hashes or datasource credentials - to a server the attacker controls via an out-of-band parameter entity, enabling follow-on full takeover. …
Remediation	Apply the vendor-released patches referenced in Adobe Security Bulletin APSB26-64 (https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html); the bulletin supersedes ColdFusion 2023 update 19 and 2025 update 8, so upgrade to the next cumulative update Adobe publishes against this bulletin and validate the post-install build number against the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ColdFusion deployments and identify systems running versions 2023.19, 2025.8, or earlier; document system location and sensitivity level. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-35831 vulnerability details – vuln.today

Back

Adobe ColdFusion EUVD-2026-35831

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code