Skip to main content

Lucee CFML Server EUVDEUVD-2026-42906

| CVE-2026-29519 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 VulnCheck GHSA-frv8-q5jq-3qhq
6.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requiring victim to click a crafted link (UI:R); scope changes to victim browser (S:C), enabling session theft (C:L) and unauthorized admin actions (I:L); no server availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 16:05 vuln.today

DescriptionCVE.org

Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link.

AnalysisAI

Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify internet-facing Lucee admin interface
Delivery
Craft URL with JavaScript payload in request path
Exploit
Deliver crafted link to Lucee administrator via phishing
Install
Administrator clicks URL and browser loads response
C2
Server reflects unencoded script payload in HTTP response
Execute
Injected JavaScript executes in admin browser context
Impact
Exfiltrate session cookie and gain unauthorized admin access

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively visit a crafted URL (CVSS 4.0 UI:A - active user interaction confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.2 (Medium) appropriately reflects the user-interaction requirement (UI:A), which is the primary mitigating factor: this is not a zero-click exploit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an internet-facing Lucee administrative interface and crafts a URL with a JavaScript payload embedded in the path segment (e.g., targeting the admin login or dashboard endpoint). The attacker delivers the link to a Lucee administrator via a phishing email or by embedding it in a forum post or issue tracker the admin is likely to visit. …
Remediation No exact patched version is confirmed in the available intelligence data; organizations must monitor the VulnCheck advisory at https://www.vulncheck.com/advisories/lucee-cfml-server-reflected-xss-via-url-path-parsing and Lucee's official release channel for a security fix addressing CVE-2026-29519. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy