CVE-2026-29519

Lucee · Lucee

Lucee CFML Server is affected by a reflected Cross-Site Scripting (XSS) vulnerability triggered via manipulated URL path parsing.

Executive summary

A reflected Cross-Site Scripting vulnerability in Lucee CFML Server allows unauthenticated attackers to execute arbitrary scripts in the context of a user's browser session.

Vulnerability

The vulnerability involves improper neutralization of input during web page generation (CWE-79). An unauthenticated attacker can craft malicious URLs that, when processed by the server, inject scripts into the response delivered to the victim's browser.

Business impact

Exploitation of this XSS vulnerability can lead to session hijacking, credential theft, or the execution of malicious actions on behalf of authenticated users. Given the CVSS score of 8.2 and the availability of a public proof-of-concept, the risk of targeted attacks against organizational users is elevated, potentially impacting internal service integrity.

Remediation

Immediate Action: Check the official Lucee security advisories for the latest available security release and apply it to all affected servers.

Proactive Monitoring: Monitor web traffic for anomalous URL patterns containing script injection payloads and review logs for signs of suspicious client-side activity.

Compensating Controls: Implement a strong Content Security Policy (CSP) to restrict the execution of unauthorized scripts and utilize WAF rules to filter malicious input from URL paths.

Exploitation status

Public Exploit Available: true

Analyst recommendation

The presence of a public exploit makes this vulnerability highly actionable for threat actors. Organizations utilizing Lucee must prioritize the identification of affected instances and apply the necessary vendor patches or security configurations immediately to prevent user compromise.