CVE-2026-29519 in Luceeinfo

Summary

by MITRE • 07/10/2026

Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability represents a critical cross-site scripting flaw affecting multiple versions of the Lucee CFML Server platform which operates as a web application server and cfml engine. The security issue manifests in how the server processes URL paths, specifically failing to properly sanitize or encode output when reflecting user-supplied input back to browsers. This weakness creates an environment where malicious actors can inject JavaScript code into request paths that gets subsequently executed in the victim's browser context.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within Lucee's URL parsing functionality. When a client makes a request containing specially crafted path parameters, the server processes these inputs without sufficient sanitization before including them in HTTP responses. This failure directly maps to CWE-79 which defines cross-site scripting vulnerabilities as weaknesses that occur when an application includes untrusted data in web pages without proper validation or encoding. The vulnerability affects all versions within the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines, indicating a widespread issue across multiple major releases of the platform.

From an operational perspective, this vulnerability poses significant risks to organizations utilizing Lucee CFML Server as their primary web application platform. Attackers can leverage this weakness to perform session hijacking attacks by injecting malicious scripts that steal authentication tokens or cookies from users interacting with the server. The reflected nature of the vulnerability means that successful exploitation requires user interaction through visiting a malicious link, but once triggered, attackers can potentially gain unauthorized access to administrative interfaces or perform actions on behalf of authenticated users. This makes the vulnerability particularly dangerous in environments where Lucee servers manage sensitive data or provide administrative access to critical systems.

The security implications extend beyond simple script execution as this vulnerability enables more sophisticated attack vectors within the broader ATT&CK framework. Specifically, it relates to techniques involving initial access through malicious links and privilege escalation by leveraging administrative interface access. Organizations running affected versions should immediately implement mitigations including input validation at the application level, output encoding of all user-supplied data in URL paths, and deployment of web application firewalls that can detect and block suspicious payload patterns. Additionally, organizations should consider implementing Content Security Policy headers to limit script execution capabilities and conduct comprehensive security assessments to identify any potential exploitation attempts within their network traffic. The vulnerability demonstrates the importance of proper input validation and output encoding practices as fundamental security controls that must be implemented consistently across all web application components to prevent similar issues from occurring in other parts of the system architecture.

Responsible

VulnCheck

Reservation

03/04/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!