Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-49538 (GCVE-0-2025-49538)
Vulnerability from cvelistv5 – Published: 2025-07-08 20:49 – Updated: 2025-07-09 16:06
VLAI
EPSS
Title
ColdFusion | XML Injection (aka Blind XPath Injection) (CWE-91)
Summary
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
Severity
7.4 (High)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection) (CWE-91)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/coldfus… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | ColdFusion |
Affected:
0 , ≤ 2021.20
(semver)
|
Date Public
2025-07-08 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T13:46:17.803953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T16:06:34.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "ColdFusion",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2021.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-07-08T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.4,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "HIGH",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.4,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T20:49:29.949Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ColdFusion | XML Injection (aka Blind XPath Injection) (CWE-91)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2025-49538",
"datePublished": "2025-07-08T20:49:29.949Z",
"dateReserved": "2025-06-06T15:42:09.515Z",
"dateUpdated": "2025-07-09T16:06:34.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-49538",
"date": "2026-05-25",
"epss": "0.00635",
"percentile": "0.70642"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-49538\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2025-07-08T21:15:26.597\",\"lastModified\":\"2025-07-11T17:45:04.767\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.\"},{\"lang\":\"es\",\"value\":\"Las versiones 2025.2, 2023.14, 2021.20 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de inyecci\u00f3n XML que podr\u00eda provocar la lectura arbitraria del sistema de archivos. Un atacante puede explotar este problema inyectando consultas XML o XPath manipuladas para acceder a archivos no autorizados o provocar una denegaci\u00f3n de servicio. Para explotar este problema no se requiere la interacci\u00f3n del usuario y el ataque debe tener acceso a secretos compartidos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-91\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A94B406-C011-4673-8C2B-0DD94D46CC4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFD05E3A-10F9-4C75-9710-BA46B66FF6E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1FC7D1D-6DD2-48B2-980F-B001B0F24473\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FA19E1D-61C2-4640-AF06-4BCFE750BDF3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*\",\"matchCriteriaId\":\"63D5CF84-4B0D-48AE-95D6-262AEA2FFDE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*\",\"matchCriteriaId\":\"10616A3A-0C1C-474A-BD7D-A2A5BB870F74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7DA523E-1D9B-45FD-94D9-D4F9F2B9296B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:*\",\"matchCriteriaId\":\"151AFF8B-F05C-4D27-85FC-DF88E9C11BEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:*\",\"matchCriteriaId\":\"53A0E245-2915-4DFF-AFB5-A12F5C435702\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5653D18-7534-48A3-819F-9F049A418F99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:*\",\"matchCriteriaId\":\"BABC6468-A780-4080-A930-4125D1B39C51\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D57C8681-AC68-47DF-A61E-B5C4B4A47663\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:*\",\"matchCriteriaId\":\"F58633C9-E957-46B7-8F5B-B060A8726E33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*\",\"matchCriteriaId\":\"75608383-B727-48D6-8FFA-D552A338A562\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*\",\"matchCriteriaId\":\"7773DB68-414A-4BA9-960F-52471A784379\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B38B9E86-BCD5-4BCA-8FB7-EC55905184E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E7BAB80-8455-4570-A2A2-8F40469EE9CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E22D701-B038-4795-AA32-A18BC93C2B6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B02A37FE-5D31-4892-A3E6-156A8FE62D28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0AA3D302-CFEE-4DFD-AB92-F53C87721BFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*\",\"matchCriteriaId\":\"645D1B5F-2DAB-4AB8-A465-AC37FF494F95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED6D8996-0770-4C9F-BEA5-87EA479D40A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*\",\"matchCriteriaId\":\"4836086E-3D4A-4A07-A372-382D385CB490\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBC19168-4184-4B59-B9C8-E98844124EED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*\",\"matchCriteriaId\":\"A60DCD92-9A5B-411C-9554-642C91D77FAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB88D4FE-5496-4639-BAF2-9F29F24ABF29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*\",\"matchCriteriaId\":\"43E0ED98-2C1F-40B8-AF60-FEB1D85619C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*\",\"matchCriteriaId\":\"76204873-C6E0-4202-8A03-0773270F1802\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3A83642-BF14-4C37-BD94-FA76AABE8ADC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*\",\"matchCriteriaId\":\"A892E1DC-F2C8-4F53-8580-A2D1BEED5A25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB97ADBA-C1A9-4EE0-9509-68CB12358AE5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*\",\"matchCriteriaId\":\"E17C38F0-9B0F-4433-9CBD-6E3D63EA9BDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"30779417-D4E5-4A01-BE0E-1CE1D134292A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"80D7FC6A-F264-4CB1-A18D-B091EBA47882\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3DA0D20-93BA-4C76-A400-159853CD7277\"}]}]}],\"references\":[{\"url\":\"https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49538\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-09T13:46:17.803953Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-09T13:49:10.787Z\"}}], \"cna\": {\"title\": \"ColdFusion | XML Injection (aka Blind XPath Injection) (CWE-91)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\", \"modifiedScope\": \"UNCHANGED\", \"temporalScore\": 7.4, \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"remediationLevel\": \"NOT_DEFINED\", \"reportConfidence\": \"NOT_DEFINED\", \"temporalSeverity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"environmentalScore\": 7.4, \"privilegesRequired\": \"NONE\", \"exploitCodeMaturity\": \"NOT_DEFINED\", \"integrityRequirement\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NETWORK\", \"confidentialityImpact\": \"HIGH\", \"environmentalSeverity\": \"HIGH\", \"availabilityRequirement\": \"NOT_DEFINED\", \"modifiedIntegrityImpact\": \"NONE\", \"modifiedUserInteraction\": \"NONE\", \"modifiedAttackComplexity\": \"HIGH\", \"confidentialityRequirement\": \"NOT_DEFINED\", \"modifiedAvailabilityImpact\": \"HIGH\", \"modifiedPrivilegesRequired\": \"NONE\", \"modifiedConfidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Adobe\", \"product\": \"ColdFusion\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2021.20\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2025-07-08T17:00:00.000Z\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-91\", \"description\": \"XML Injection (aka Blind XPath Injection) (CWE-91)\"}]}], \"providerMetadata\": {\"orgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"shortName\": \"adobe\", \"dateUpdated\": \"2025-07-08T20:49:29.949Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-49538\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-09T16:06:34.728Z\", \"dateReserved\": \"2025-06-06T15:42:09.515Z\", \"assignerOrgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"datePublished\": \"2025-07-08T20:49:29.949Z\", \"assignerShortName\": \"adobe\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2025-AVI-0569
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Adobe ColdFusion. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Adobe | ColdFusion | ColdFusion 2023 versions antérieures à Update 15 | ||
| Adobe | ColdFusion | ColdFusion 2025 versions antérieures à Update 3 | ||
| Adobe | ColdFusion | ColdFusion 2021 versions antérieures à Update 21 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "ColdFusion 2023 versions ant\u00e9rieures \u00e0 Update 15",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "ColdFusion 2025 versions ant\u00e9rieures \u00e0 Update 3",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "ColdFusion 2021 versions ant\u00e9rieures \u00e0 Update 21",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-49543",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49543"
},
{
"name": "CVE-2025-49538",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49538"
},
{
"name": "CVE-2025-49551",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49551"
},
{
"name": "CVE-2025-49536",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49536"
},
{
"name": "CVE-2025-49545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49545"
},
{
"name": "CVE-2025-49540",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49540"
},
{
"name": "CVE-2025-49542",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49542"
},
{
"name": "CVE-2025-49546",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49546"
},
{
"name": "CVE-2025-49544",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49544"
},
{
"name": "CVE-2025-49535",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49535"
},
{
"name": "CVE-2025-49537",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49537"
},
{
"name": "CVE-2025-49541",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49541"
},
{
"name": "CVE-2025-49539",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49539"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0569",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Adobe ColdFusion. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Adobe ColdFusion",
"vendor_advisories": [
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB25-69",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
]
}
CERTFR-2025-AVI-0569
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Adobe ColdFusion. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Adobe | ColdFusion | ColdFusion 2023 versions antérieures à Update 15 | ||
| Adobe | ColdFusion | ColdFusion 2025 versions antérieures à Update 3 | ||
| Adobe | ColdFusion | ColdFusion 2021 versions antérieures à Update 21 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "ColdFusion 2023 versions ant\u00e9rieures \u00e0 Update 15",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "ColdFusion 2025 versions ant\u00e9rieures \u00e0 Update 3",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "ColdFusion 2021 versions ant\u00e9rieures \u00e0 Update 21",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-49543",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49543"
},
{
"name": "CVE-2025-49538",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49538"
},
{
"name": "CVE-2025-49551",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49551"
},
{
"name": "CVE-2025-49536",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49536"
},
{
"name": "CVE-2025-49545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49545"
},
{
"name": "CVE-2025-49540",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49540"
},
{
"name": "CVE-2025-49542",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49542"
},
{
"name": "CVE-2025-49546",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49546"
},
{
"name": "CVE-2025-49544",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49544"
},
{
"name": "CVE-2025-49535",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49535"
},
{
"name": "CVE-2025-49537",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49537"
},
{
"name": "CVE-2025-49541",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49541"
},
{
"name": "CVE-2025-49539",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49539"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0569",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Adobe ColdFusion. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Adobe ColdFusion",
"vendor_advisories": [
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB25-69",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
]
}
CNVD-2025-16377
Vulnerability from cnvd - Published: 2025-07-21
VLAI
Title
Adobe ColdFusion XML注入漏洞
Description
Adobe ColdFusion是美国奥多比(Adobe)公司的一套快速应用程序开发平台。该平台包括集成开发环境和脚本语言。
Adobe ColdFusion存在XML注入漏洞,攻击者可利用该漏洞访问未经授权的文件或导致拒绝服务。
Severity
高
Patch Name
Adobe ColdFusion XML注入漏洞的补丁
Patch Description
Adobe ColdFusion是美国奥多比(Adobe)公司的一套快速应用程序开发平台。该平台包括集成开发环境和脚本语言。
Adobe ColdFusion存在XML注入漏洞,攻击者可利用该漏洞访问未经授权的文件或导致拒绝服务。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-49538
Impacted products
| Name | ['Adobe ColdFusion 2025 <=Update 2', 'Adobe ColdFusion 2023 <=Update 14', 'Adobe ColdFusion 2021 <=Update 20'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2025-49538",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-49538"
}
},
"description": "Adobe ColdFusion\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u5feb\u901f\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5305\u62ec\u96c6\u6210\u5f00\u53d1\u73af\u5883\u548c\u811a\u672c\u8bed\u8a00\u3002\n\nAdobe ColdFusion\u5b58\u5728XML\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u672a\u7ecf\u6388\u6743\u7684\u6587\u4ef6\u6216\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://helpx.adobe.com/security/products/coldfusion/apsb25-69.html",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2025-16377",
"openTime": "2025-07-21",
"patchDescription": "Adobe ColdFusion\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u5feb\u901f\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5305\u62ec\u96c6\u6210\u5f00\u53d1\u73af\u5883\u548c\u811a\u672c\u8bed\u8a00\u3002\r\n\r\nAdobe ColdFusion\u5b58\u5728XML\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u672a\u7ecf\u6388\u6743\u7684\u6587\u4ef6\u6216\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Adobe ColdFusion XML\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Adobe ColdFusion 2025 \u003c=Update 2",
"Adobe ColdFusion 2023 \u003c=Update 14",
"Adobe ColdFusion 2021 \u003c=Update 20"
]
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-49538",
"serverity": "\u9ad8",
"submitTime": "2025-07-21",
"title": "Adobe ColdFusion XML\u6ce8\u5165\u6f0f\u6d1e"
}
FKIE_CVE-2025-49538
Vulnerability from fkie_nvd - Published: 2025-07-08 21:15 - Updated: 2025-07-11 17:45
Severity
Summary
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2025 | |
| adobe | coldfusion | 2025 | |
| adobe | coldfusion | 2025 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*",
"matchCriteriaId": "7A94B406-C011-4673-8C2B-0DD94D46CC4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*",
"matchCriteriaId": "AFD05E3A-10F9-4C75-9710-BA46B66FF6E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*",
"matchCriteriaId": "F1FC7D1D-6DD2-48B2-980F-B001B0F24473",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*",
"matchCriteriaId": "1FA19E1D-61C2-4640-AF06-4BCFE750BDF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*",
"matchCriteriaId": "3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*",
"matchCriteriaId": "63D5CF84-4B0D-48AE-95D6-262AEA2FFDE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*",
"matchCriteriaId": "10616A3A-0C1C-474A-BD7D-A2A5BB870F74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*",
"matchCriteriaId": "D7DA523E-1D9B-45FD-94D9-D4F9F2B9296B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:*",
"matchCriteriaId": "151AFF8B-F05C-4D27-85FC-DF88E9C11BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:*",
"matchCriteriaId": "53A0E245-2915-4DFF-AFB5-A12F5C435702",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:*",
"matchCriteriaId": "C5653D18-7534-48A3-819F-9F049A418F99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:*",
"matchCriteriaId": "BABC6468-A780-4080-A930-4125D1B39C51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*",
"matchCriteriaId": "D57C8681-AC68-47DF-A61E-B5C4B4A47663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:*",
"matchCriteriaId": "F58633C9-E957-46B7-8F5B-B060A8726E33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*",
"matchCriteriaId": "75608383-B727-48D6-8FFA-D552A338A562",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*",
"matchCriteriaId": "7773DB68-414A-4BA9-960F-52471A784379",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*",
"matchCriteriaId": "B38B9E86-BCD5-4BCA-8FB7-EC55905184E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*",
"matchCriteriaId": "5E7BAB80-8455-4570-A2A2-8F40469EE9CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*",
"matchCriteriaId": "F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*",
"matchCriteriaId": "6E22D701-B038-4795-AA32-A18BC93C2B6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*",
"matchCriteriaId": "CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*",
"matchCriteriaId": "B02A37FE-5D31-4892-A3E6-156A8FE62D28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*",
"matchCriteriaId": "0AA3D302-CFEE-4DFD-AB92-F53C87721BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*",
"matchCriteriaId": "645D1B5F-2DAB-4AB8-A465-AC37FF494F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*",
"matchCriteriaId": "ED6D8996-0770-4C9F-BEA5-87EA479D40A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*",
"matchCriteriaId": "4836086E-3D4A-4A07-A372-382D385CB490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*",
"matchCriteriaId": "CBC19168-4184-4B59-B9C8-E98844124EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*",
"matchCriteriaId": "A60DCD92-9A5B-411C-9554-642C91D77FAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*",
"matchCriteriaId": "EB88D4FE-5496-4639-BAF2-9F29F24ABF29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*",
"matchCriteriaId": "43E0ED98-2C1F-40B8-AF60-FEB1D85619C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*",
"matchCriteriaId": "76204873-C6E0-4202-8A03-0773270F1802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*",
"matchCriteriaId": "C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*",
"matchCriteriaId": "E3A83642-BF14-4C37-BD94-FA76AABE8ADC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*",
"matchCriteriaId": "A892E1DC-F2C8-4F53-8580-A2D1BEED5A25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*",
"matchCriteriaId": "DB97ADBA-C1A9-4EE0-9509-68CB12358AE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*",
"matchCriteriaId": "E17C38F0-9B0F-4433-9CBD-6E3D63EA9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*",
"matchCriteriaId": "30779417-D4E5-4A01-BE0E-1CE1D134292A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*",
"matchCriteriaId": "80D7FC6A-F264-4CB1-A18D-B091EBA47882",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*",
"matchCriteriaId": "E3DA0D20-93BA-4C76-A400-159853CD7277",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets."
},
{
"lang": "es",
"value": "Las versiones 2025.2, 2023.14, 2021.20 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de inyecci\u00f3n XML que podr\u00eda provocar la lectura arbitraria del sistema de archivos. Un atacante puede explotar este problema inyectando consultas XML o XPath manipuladas para acceder a archivos no autorizados o provocar una denegaci\u00f3n de servicio. Para explotar este problema no se requiere la interacci\u00f3n del usuario y el ataque debe tener acceso a secretos compartidos."
}
],
"id": "CVE-2025-49538",
"lastModified": "2025-07-11T17:45:04.767",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2025-07-08T21:15:26.597",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
}
GHSA-J22J-2QPH-CFXC
Vulnerability from github – Published: 2025-07-08 21:30 – Updated: 2025-07-08 21:30
VLAI
Details
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
Severity
7.4 (High)
{
"affected": [],
"aliases": [
"CVE-2025-49538"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T21:15:26Z",
"severity": "HIGH"
},
"details": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.",
"id": "GHSA-j22j-2qph-cfxc",
"modified": "2025-07-08T21:30:28Z",
"published": "2025-07-08T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49538"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
NCSC-2025-0222
Vulnerability from csaf_ncscnl - Published: 2025-07-09 08:41 - Updated: 2025-07-09 08:41Summary
Kwetsbaarheden verholpen in Adobe ColdFusion
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Adobe heeft kwetsbaarheden verholpen in ColdFusion (Specifiek voor versies 25.2, 23.14, 21.20 en eerder).
Interpretaties: De kwetsbaarheden in ColdFusion omvatten onder andere een significante kwetsbaarheid met betrekking tot onjuiste beperking van XML External Entity Reference (XXE), hard-coded credentials, incorrecte autorisatie, XML-injectie, en verschillende soorten Cross-Site Scripting (XSS). Deze kwetsbaarheden stellen aanvallers in staat om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, privilege-escalatie uit te voeren, en schadelijke scripts in browsers van gebruikers uit te voeren. De meeste kwetsbaarheden zijn beperkt tot interne IP-adressen, wat de blootstelling kan verminderen, maar nog steeds een aanzienlijk risico vormt voor de beveiliging van de systemen. Aanvallers kunnen deze kwetsbaarheden misbruiken zonder gebruikersinteractie, wat de ernst van de situatie vergroot.
Oplossingen: Adobe heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-798: Use of Hard-coded Credentials
CWE-284: Improper Access Control
CWE-91: XML Injection (aka Blind XPath Injection)
CWE-918: Server-Side Request Forgery (SSRF)
CWE-863: Incorrect Authorization
CWE-611: Improper Restriction of XML External Entity Reference
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
9.3 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
8.1 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
7.9 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
7.4 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
6.5 (Medium)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
4.8 (Medium)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
4.8 (Medium)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
6.1 (Medium)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
4.8 (Medium)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
6.8 (Medium)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
6.8 (Medium)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
CWE-284
- Improper Access Control
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
8.8 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/<=2021.20
Adobe / ColdFusion
|
vers:semver/<=2021.20 | ||
|
vers:adobe/<=update20
Adobe / ColdFusion 2021
|
vers:adobe/<=update20 | ||
|
vers:adobe/update21
Adobe / ColdFusion 2021
|
vers:adobe/update21 | ||
|
vers:adobe/<=update14
Adobe / ColdFusion 2023
|
vers:adobe/<=update14 | ||
|
vers:adobe/update15
Adobe / ColdFusion 2023
|
vers:adobe/update15 | ||
|
vers:adobe/<=update2
Adobe / ColdFusion 2025
|
vers:adobe/<=update2 | ||
|
vers:adobe/update3
Adobe / ColdFusion 2025
|
vers:adobe/update3 |
References
14 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Adobe heeft kwetsbaarheden verholpen in ColdFusion (Specifiek voor versies 25.2, 23.14, 21.20 en eerder).",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden in ColdFusion omvatten onder andere een significante kwetsbaarheid met betrekking tot onjuiste beperking van XML External Entity Reference (XXE), hard-coded credentials, incorrecte autorisatie, XML-injectie, en verschillende soorten Cross-Site Scripting (XSS). Deze kwetsbaarheden stellen aanvallers in staat om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, privilege-escalatie uit te voeren, en schadelijke scripts in browsers van gebruikers uit te voeren. De meeste kwetsbaarheden zijn beperkt tot interne IP-adressen, wat de blootstelling kan verminderen, maar nog steeds een aanzienlijk risico vormt voor de beveiliging van de systemen. Aanvallers kunnen deze kwetsbaarheden misbruiken zonder gebruikersinteractie, wat de ernst van de situatie vergroot.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Adobe heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Use of Hard-coded Credentials",
"title": "CWE-798"
},
{
"category": "general",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "general",
"text": "XML Injection (aka Blind XPath Injection)",
"title": "CWE-91"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"title": "Kwetsbaarheden verholpen in Adobe ColdFusion",
"tracking": {
"current_release_date": "2025-07-09T08:41:53.656736Z",
"generator": {
"date": "2025-06-05T14:45:00Z",
"engine": {
"name": "V.A.",
"version": "1.1"
}
},
"id": "NCSC-2025-0222",
"initial_release_date": "2025-07-09T08:41:53.656736Z",
"revision_history": [
{
"date": "2025-07-09T08:41:53.656736Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:semver/\u003c=2021.20",
"product": {
"name": "vers:semver/\u003c=2021.20",
"product_id": "CSAFPID-2965584"
}
}
],
"category": "product_name",
"name": "ColdFusion"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:adobe/\u003c=update20",
"product": {
"name": "vers:adobe/\u003c=update20",
"product_id": "CSAFPID-2965621"
}
},
{
"category": "product_version_range",
"name": "vers:adobe/update21",
"product": {
"name": "vers:adobe/update21",
"product_id": "CSAFPID-2965624"
}
}
],
"category": "product_name",
"name": "ColdFusion 2021"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:adobe/\u003c=update14",
"product": {
"name": "vers:adobe/\u003c=update14",
"product_id": "CSAFPID-2965620"
}
},
{
"category": "product_version_range",
"name": "vers:adobe/update15",
"product": {
"name": "vers:adobe/update15",
"product_id": "CSAFPID-2965623"
}
}
],
"category": "product_name",
"name": "ColdFusion 2023"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:adobe/\u003c=update2",
"product": {
"name": "vers:adobe/\u003c=update2",
"product_id": "CSAFPID-2965619"
}
},
{
"category": "product_version_range",
"name": "vers:adobe/update3",
"product": {
"name": "vers:adobe/update3",
"product_id": "CSAFPID-2965622"
}
}
],
"category": "product_name",
"name": "ColdFusion 2025"
}
],
"category": "vendor",
"name": "Adobe"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-49535",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49535 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49535.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49535"
},
{
"cve": "CVE-2025-49536",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49536 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49536.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49536"
},
{
"cve": "CVE-2025-49537",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49537 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49537.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.9,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49537"
},
{
"cve": "CVE-2025-49538",
"cwe": {
"id": "CWE-91",
"name": "XML Injection (aka Blind XPath Injection)"
},
"notes": [
{
"category": "other",
"text": "XML Injection (aka Blind XPath Injection)",
"title": "CWE-91"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49538 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49538.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49538"
},
{
"cve": "CVE-2025-49539",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49539 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49539.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49539"
},
{
"cve": "CVE-2025-49540",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49540 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49540.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49540"
},
{
"cve": "CVE-2025-49541",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49541 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49541.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49541"
},
{
"cve": "CVE-2025-49542",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49542 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49542.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49542"
},
{
"cve": "CVE-2025-49543",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49543 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49543.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49543"
},
{
"cve": "CVE-2025-49544",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49544 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49544.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49544"
},
{
"cve": "CVE-2025-49545",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49545 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49545.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49545"
},
{
"cve": "CVE-2025-49546",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49546 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49546.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49546"
},
{
"cve": "CVE-2025-49551",
"cwe": {
"id": "CWE-798",
"name": "Use of Hard-coded Credentials"
},
"notes": [
{
"category": "other",
"text": "Use of Hard-coded Credentials",
"title": "CWE-798"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49551 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49551.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-2965584",
"CSAFPID-2965621",
"CSAFPID-2965624",
"CSAFPID-2965620",
"CSAFPID-2965623",
"CSAFPID-2965619",
"CSAFPID-2965622"
]
}
],
"title": "CVE-2025-49551"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…