Back to overview

CVE-2026-29519

HIGH Exploitation: PoC
8.2
CVSS 3.1
Description
Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link.

Metadata

CVE ID
CVE-2026-29519
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-03-04 15:39 UTC
Published
2026-07-10 14:09 UTC
Last updated
2026-07-10 17:00 UTC
Primary CWE
CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product
lucee / Lucee
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
lucee Lucee 5.3.1.95 ≤ 7.0.0.395
Weakness (CWE)
CWESourceDescription
CWE-79 cna Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
6.2 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
Back to overview