Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Mon, 13 Jul 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lucee
Lucee lucee |
|
| Vendors & Products |
Lucee
Lucee lucee |
Fri, 10 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link. | |
| Title | Lucee CFML Server Reflected XSS via URL Path Parsing | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-10T17:00:41.627Z
Reserved: 2026-03-04T15:39:26.872Z
Link: CVE-2026-29519
Updated: 2026-07-10T16:39:19.748Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-13T20:00:05Z