How is CVE-2026-47960 exploited?

Network reachability (required): The vulnerable ColdFusion service must be reachable over the network for an attacker to deliver a malicious XML payload. Authentication (not-required): No credentials or account privileges are needed to attempt exploitation. Victim interaction (required): A user with access to the ColdFusion instance must open or process a malicious file supplied by the attacker. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout.

What is the impact of CVE-2026-47960?

Reads arbitrary files from the ColdFusion server file system, including configuration files that may contain database credentials, API keys, or other secrets. Traverses directories outside the application root, potentially exposing OS-level files such as /etc/passwd or Windows system configuration. Because scope is changed, the file-read capability can extend to resources belonging to components beyond the directly vulnerable ColdFusion process.

Back to search

HIGHCVE-2026-47960Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47960: ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An XML External Entity (XXE) injection vulnerability affects Adobe ColdFusion versions 2025.8 and earlier (including 2023.19 and earlier). The vulnerability is reachable over the network without authentication, but requires a victim to open a malicious file, and it carries a changed scope indicator meaning impact can extend beyond the vulnerable component itself. Successful exploitation gives an attacker arbitrary read access to files and directories on the underlying file system. No fix versions have been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as Adobe ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-47960 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built ColdFusion images in connected registries and CI/CD pipelines.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.4 (HIGH) and applies per-environment compliance policy weighting to determine urgency and route the finding to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable ColdFusion service must be reachable over the network for an attacker to deliver a malicious XML payload.
AuthenticationNot required
No credentials or account privileges are needed to attempt exploitation.
Victim interactionRequired
A user with access to the ColdFusion instance must open or process a malicious file supplied by the attacker.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout.

Blast Radius

Reads arbitrary files from the ColdFusion server file system, including configuration files that may contain database credentials, API keys, or other secrets.
Traverses directories outside the application root, potentially exposing OS-level files such as /etc/passwd or Windows system configuration.
Because scope is changed, the file-read capability can extend to resources belonging to components beyond the directly vulnerable ColdFusion process.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47960 is active across all connected environments, with findings scored at CVSS 7.4 HIGH and routed according to each organization's compliance policy. Since Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. For customers with auto-remediation enabled, that means a rebuilt image, a regression test run, and a PR opened against affected workloads with no manual steps required. In the interim, recommended compensating controls include restricting network access to ColdFusion endpoints via container network policy, disabling or filtering external entity resolution at the application or WAF layer if supported, and applying egress filtering to limit outbound file-read exfiltration paths from ColdFusion containers.

See how HarborGuard automates this

Affected packages

Adobe / ColdFusion
≤ 2025.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

helpx.adobe.com

Metrics

Get notified