CVE-2025-30287
HIGHDescription
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application and scope is changed.
Is your site exposed to CVE-2025-30287?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
| adobe | coldfusion |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-30287? +
How severe is CVE-2025-30287? +
What products are affected by CVE-2025-30287? +
How do I check if I'm vulnerable to CVE-2025-30287? +
Related Vulnerabilities
Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins …
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated …
Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware …
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG_API_KEY set but AUTH_ACCOUNTS unset, …
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose …
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO discovery and pre-validation flow returned organization-related SSO …