Lucee CFML Server Reflected XSS Vulnerability (CVE-2026-29519)
Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines are vulnerable to a reflected cross-site scripting (XSS) flaw in URL path parsing, allowing unauthenticated remote attackers to embed arbitrary HTML or JavaScript payloads within the request path which, when visited by a victim, enables the execution of arbitrary JavaScript in the victim's browser for purposes such as session hijacking or unauthorized actions against the Lucee administrative interface.
CVE-2026-29519 affects Lucee CFML Server versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x, revealing a reflected cross-site scripting (XSS) vulnerability. This flaw resides within the URL path parsing mechanism, allowing unauthenticated remote attackers to inject arbitrary HTML or JavaScript directly into the request path. When a crafted malicious URL is accessed by a victim, the Lucee server reflects this unsanitized content back in its response, causing the victim's browser to execute the attacker-supplied script. This can lead to serious consequences, including session hijacking, unauthorized actions performed through the victim's authenticated session, or other client-side attacks. The vulnerability's impact is significant due to its unauthenticated nature and potential for direct client-side code execution.
Attack Chain
- An unauthenticated attacker identifies a vulnerable Lucee CFML Server instance.
- The attacker crafts a malicious URL, embedding an HTML or JavaScript payload within the request path (e.g.,
https://vulnerable.lucee.example/path/<script>alert(document.cookie)</script>/). - The attacker then socially engineers a victim into clicking the crafted malicious URL, potentially via phishing emails or compromised websites.
- The victim's web browser sends the request containing the malicious URL path to the vulnerable Lucee CFML Server.
- The Lucee server processes the request, and due to the vulnerability, improperly parses and reflects the attacker's embedded HTML/JavaScript payload directly into the server's HTTP response without adequate output encoding.
- The victim's browser receives the server's response and, upon rendering the page, executes the reflected JavaScript payload embedded in the response.
- The malicious JavaScript executes in the context of the victim's browser, potentially leading to session hijacking by exfiltrating cookies, performing unauthorized actions against the Lucee administrative interface (if the victim is authenticated), or redirecting the victim to a malicious site.
Impact
Successful exploitation of CVE-2026-29519 can result in various client-side attacks against unsuspecting users of the Lucee CFML Server. The primary impacts include session hijacking, where an attacker can gain unauthorized access to a victim's authenticated session (e.g., to the administrative interface), enabling them to perform actions as the victim. Furthermore, attackers can deface web pages, redirect users to malicious sites, or leverage the victim's browser for further attacks. The CVSS v3.1 Base Score of 8.2 reflects the high severity of this vulnerability, indicating significant potential damage if exploited.
Recommendation
- Patch CVE-2026-29519 by updating Lucee CFML Server to a fixed version immediately to mitigate the reflected XSS vulnerability.
- Deploy the
Detects CVE-2026-29519 Exploitation - Lucee CFML Server Reflected XSS AttemptSigma rule to your SIEM to detect suspicious URL paths containing potential XSS payloads. - Monitor web server access logs for unusual request patterns, particularly those with script-like content or HTML tags in the URL path, which could indicate exploitation attempts against this XSS vulnerability.
Detection coverage 1
Detects CVE-2026-29519 Exploitation - Lucee CFML Server Reflected XSS Attempt
highDetects exploitation attempts for CVE-2026-29519, a reflected XSS vulnerability in Lucee CFML Server, by identifying common script tags or HTML entities in the URL path.
Detection queries are available on the platform. Get full rules →