CVE-2026-29519
Received Received - Intake

Reflected XSS in Lucee CFML Server

Vulnerability report for CVE-2026-29519, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
lucee cfml_server From 5.3.0 (inc) to 8.0.0 (exc)
lucee cfml_server From 5.3.1.95 (inc) to 7.0.0.395 (inc)
lucee cfml_server 6.0.4.10
lucee cfml_server 5.4.8.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-29519 is a reflected cross-site scripting (XSS) vulnerability in Lucee CFML Server versions 5.3.x through 7.0.x. It occurs in the URL path parsing mechanism, where unauthenticated remote attackers can inject malicious HTML or JavaScript payloads into the request path.

When a victim accesses a crafted URL containing the injected script, the server reflects this payload in its response without proper output encoding, allowing the attacker to execute arbitrary JavaScript in the victim's browser.

This flaw enables attackers to perform actions such as session hijacking or unauthorized operations against the Lucee administrative interface.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in your browser when you visit a maliciously crafted URL.

  • Attackers can hijack your session, potentially gaining unauthorized access to your account or sensitive information.
  • They can perform unauthorized actions against the Lucee administrative interface, compromising the security and integrity of the server.

Since the attack requires no authentication and only user interaction (clicking a link), it poses a significant risk especially if users are tricked into visiting malicious URLs.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests containing suspicious or unexpected HTML or JavaScript payloads embedded within the URL path. Since the vulnerability involves reflected cross-site scripting via URL path parsing, crafted URLs with script tags or other HTML elements are indicators.

One approach is to use network traffic inspection tools or web server logs to search for URL paths containing HTML tags such as <script>, <img>, or other suspicious payloads.

Example commands to detect such attempts include:

  • Using grep on web server access logs to find suspicious URL paths: grep -iE "<script|<img|<svg|<iframe" /var/log/httpd/access_log
  • Using curl or wget to test if the server reflects injected scripts in the URL path by sending crafted requests and inspecting the response for reflected payloads.
  • Deploying a web application firewall (WAF) with rules to detect and block requests containing HTML tags in URL paths.
Mitigation Strategies

Immediate mitigation steps include upgrading Lucee CFML Server to secure versions where the vulnerability is fixed, such as version 6.0.4.10 for the 6.x release line or 5.4.8.2 for the 5.x release line.

If upgrading is not immediately possible, applying temporary Web Application Firewall (WAF) rules to block or sanitize HTML tags in URL paths can help prevent exploitation.

Additionally, educating users to avoid clicking on suspicious or untrusted links can reduce the risk of exploitation.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser, potentially leading to session hijacking or unauthorized actions against the Lucee administrative interface.

Such unauthorized access and session hijacking risks could lead to exposure or compromise of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with specific standards or regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart