CVE-2025-49536 CVSS:7.3

Adobe ColdFusion could allow a remote attacker to bypass security restrictions, caused by an incorrect authorization vulnerability. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to bypass security measures and gain unauthorized access.

CVE-2025-49537 CVSS:7.9

Adobe ColdFusion could allow a remote attacker to execute arbitrary commands on the system, caused by an OS command injection vulnerability. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the privileges of the victim or cause the application to crash.

CVE-2025-49551 CVSS:8.8

Adobe ColdFusion could allow a remote attacker to gain elevated privileges on the system, caused by the use of hard-coded credentials. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2025-49538 CVSS:7.4

Adobe ColdFusion could allow a remote attacker to obtain sensitive information, caused by an XML Injection vulnerability. By injecting specially crafted XML or XPath queries, a remote attacker could exploit this vulnerability to access unauthorized files or lead to denial of service.