Skip to main content

Lucee

1 CVEs product

Monthly

CVE-2026-29519 MEDIUM POC This Month

Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.

XSS Lucee
NVD GitHub
CVSS 4.0
6.2
EPSS
0.4%
EPSS 0% CVSS 6.2
MEDIUM POC This Month

Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.

XSS Lucee
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy