CVE-2025-49538
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-08

Last updated on: 2025-07-11

Assigner: Adobe Systems Incorporated

Description
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-08
Last Modified
2025-07-11
Generated
2026-05-06
AI Q&A
2025-07-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49538
EUVD
EUVD-2025-20712
Affected Vendors & Products
Showing 39 associated CPEs
Vendor Product Version / Range
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2021
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2023
adobe coldfusion 2025
adobe coldfusion 2025
adobe coldfusion 2025
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an XML Injection issue in certain ColdFusion versions that allows an attacker to inject crafted XML or XPath queries. This can lead to unauthorized reading of files on the system or cause denial of service. Exploitation does not require user interaction but does require the attacker to have access to shared secrets.


How can this vulnerability impact me? :

The vulnerability can impact you by allowing an attacker to read arbitrary files on your system without authorization, potentially exposing sensitive data. It can also cause denial of service, disrupting the availability of your application or system.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart