{"api_version":"1","generated_at":"2026-04-28T12:15:38+00:00","cve":"CVE-2025-61813","urls":{"html":"https://cve.report/CVE-2025-61813","api":"https://cve.report/api/cve/CVE-2025-61813.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-61813","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-61813"},"summary":{"title":"ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)","description":"ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed.","state":"PUBLISHED","assigner":"adobe","published_at":"2025-12-10 00:16:09","updated_at":"2026-04-28 03:16:01"},"problem_types":["CWE-611","CWE-611 Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"psirt@adobe.com","type":"Secondary","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","availabilityRequirement":"NOT_DEFINED","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":8.2,"environmentalSeverity":"HIGH","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"NONE","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":8.2,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L","version":"3.1"}}],"references":[{"url":"https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html","name":"https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html","refsource":"psirt@adobe.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-61813","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61813","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Adobe","product":"ColdFusion","version":"affected 2021.22 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update10","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update11","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update12","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update13","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update14","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update15","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update16","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update17","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update18","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update19","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update20","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update21","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update22","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update8","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2021","cpe7":"update9","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update10","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update11","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update12","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update13","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update14","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update15","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update16","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update8","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2023","cpe7":"update9","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2025","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2025","cpe7":"update1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2025","cpe7":"update2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2025","cpe7":"update3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61813","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adobe","cpe5":"coldfusion","cpe6":"2025","cpe7":"update4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-61813","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-12-10T15:44:03.284310Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-12-10T15:44:27.515Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"affected","product":"ColdFusion","vendor":"Adobe","versions":[{"lessThanOrEqual":"2021.22","status":"affected","version":"0","versionType":"semver"}]}],"datePublic":"2025-12-09T17:00:00.000Z","descriptions":[{"lang":"en","value":"ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","availabilityRequirement":"NOT_DEFINED","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":8.2,"environmentalSeverity":"HIGH","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"NONE","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":8.2,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-611","description":"Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-28T02:23:12.232Z","orgId":"078d4453-3bcd-4900-85e6-15281da43538","shortName":"adobe"},"references":[{"tags":["vendor-advisory"],"url":"https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html"}],"source":{"discovery":"EXTERNAL"},"title":"ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)"}},"cveMetadata":{"assignerOrgId":"078d4453-3bcd-4900-85e6-15281da43538","assignerShortName":"adobe","cveId":"CVE-2025-61813","datePublished":"2025-12-09T23:41:12.929Z","dateReserved":"2025-10-01T17:52:06.977Z","dateUpdated":"2026-04-28T02:23:12.232Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-12-10 00:16:09","lastModifiedDate":"2026-04-28 03:16:01","problem_types":["CWE-611","CWE-611 Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)"],"metrics":{"cvssMetricV31":[{"source":"psirt@adobe.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*","matchCriteriaId":"7A94B406-C011-4673-8C2B-0DD94D46CC4C"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*","matchCriteriaId":"AFD05E3A-10F9-4C75-9710-BA46B66FF6E6"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*","matchCriteriaId":"F1FC7D1D-6DD2-48B2-980F-B001B0F24473"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*","matchCriteriaId":"1FA19E1D-61C2-4640-AF06-4BCFE750BDF3"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*","matchCriteriaId":"3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*","matchCriteriaId":"63D5CF84-4B0D-48AE-95D6-262AEA2FFDE8"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*","matchCriteriaId":"10616A3A-0C1C-474A-BD7D-A2A5BB870F74"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*","matchCriteriaId":"D7DA523E-1D9B-45FD-94D9-D4F9F2B9296B"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:*","matchCriteriaId":"151AFF8B-F05C-4D27-85FC-DF88E9C11BEA"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:*","matchCriteriaId":"53A0E245-2915-4DFF-AFB5-A12F5C435702"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:*","matchCriteriaId":"C5653D18-7534-48A3-819F-9F049A418F99"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:*","matchCriteriaId":"BABC6468-A780-4080-A930-4125D1B39C51"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*","matchCriteriaId":"D57C8681-AC68-47DF-A61E-B5C4B4A47663"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:*","matchCriteriaId":"F58633C9-E957-46B7-8F5B-B060A8726E33"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update21:*:*:*:*:*:*","matchCriteriaId":"3CF83653-86BB-461A-87F8-65D99EF2276E"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update22:*:*:*:*:*:*","matchCriteriaId":"C2C67E15-22DE-44C0-8CB1-9AF8FCF09FA5"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*","matchCriteriaId":"75608383-B727-48D6-8FFA-D552A338A562"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*","matchCriteriaId":"7773DB68-414A-4BA9-960F-52471A784379"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*","matchCriteriaId":"B38B9E86-BCD5-4BCA-8FB7-EC55905184E6"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*","matchCriteriaId":"5E7BAB80-8455-4570-A2A2-8F40469EE9CC"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*","matchCriteriaId":"F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*","matchCriteriaId":"6E22D701-B038-4795-AA32-A18BC93C2B6F"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*","matchCriteriaId":"CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*","matchCriteriaId":"B02A37FE-5D31-4892-A3E6-156A8FE62D28"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*","matchCriteriaId":"0AA3D302-CFEE-4DFD-AB92-F53C87721BFF"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*","matchCriteriaId":"645D1B5F-2DAB-4AB8-A465-AC37FF494F95"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*","matchCriteriaId":"ED6D8996-0770-4C9F-BEA5-87EA479D40A5"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*","matchCriteriaId":"4836086E-3D4A-4A07-A372-382D385CB490"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*","matchCriteriaId":"CBC19168-4184-4B59-B9C8-E98844124EED"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*","matchCriteriaId":"A60DCD92-9A5B-411C-9554-642C91D77FAE"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*","matchCriteriaId":"58CC65EF-60A3-4DFA-AA51-E5013F116CEA"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*","matchCriteriaId":"2E3EBFB1-4488-4924-A2E2-B7E422D68345"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*","matchCriteriaId":"EB88D4FE-5496-4639-BAF2-9F29F24ABF29"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*","matchCriteriaId":"43E0ED98-2C1F-40B8-AF60-FEB1D85619C0"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*","matchCriteriaId":"76204873-C6E0-4202-8A03-0773270F1802"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*","matchCriteriaId":"C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*","matchCriteriaId":"E3A83642-BF14-4C37-BD94-FA76AABE8ADC"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*","matchCriteriaId":"A892E1DC-F2C8-4F53-8580-A2D1BEED5A25"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*","matchCriteriaId":"DB97ADBA-C1A9-4EE0-9509-68CB12358AE5"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*","matchCriteriaId":"E17C38F0-9B0F-4433-9CBD-6E3D63EA9BDC"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*","matchCriteriaId":"30779417-D4E5-4A01-BE0E-1CE1D134292A"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*","matchCriteriaId":"80D7FC6A-F264-4CB1-A18D-B091EBA47882"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*","matchCriteriaId":"E3DA0D20-93BA-4C76-A400-159853CD7277"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*","matchCriteriaId":"5BAB6F21-61F1-43AB-88BA-553CD9AD6C0E"},{"vulnerable":true,"criteria":"cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*","matchCriteriaId":"C85288B9-5D63-49EA-828A-8DB3BB2367F6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"61813","Ordinal":"1","Title":"ColdFusion | Improper Restriction of XML External Entity Referen","CVE":"CVE-2025-61813","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"61813","Ordinal":"1","NoteData":"ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed.","Type":"Description","Title":"ColdFusion | Improper Restriction of XML External Entity Referen"}]}}}