CVE-2025-49538

Name of the Vulnerable Software and Affected Versions: ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier

Description: The issue is related to an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this problem by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and the attack must have access to shared secrets.

Recommendations: For versions 2025.2, 2023.14, and 2021.20, update to a version that contains a fix for this issue. For versions prior to 2021.20, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.