PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29519 lucee CVE debrief

CVE-2026-29519 is a reflected cross-site scripting vulnerability affecting Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines. The vulnerability allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link. The CVSS score for this vulnerability is 6.2, with a severity rating of MEDIUM.

Vendor
lucee
Product
Unknown
CVSS
MEDIUM 6.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines should apply patches or mitigations to prevent exploitation of this vulnerability. This includes operators, platform administrators, vulnerability management teams, and security teams responsible for ensuring the security and integrity of affected systems.

Technical summary

The vulnerability exists in the URL path parsing of Lucee CFML Server, allowing attackers to inject malicious scripts. The CVSS score for this vulnerability is 6.2, with a severity rating of MEDIUM. Affected product deployments should be identified and prioritized for patching or mitigation. The vulnerability allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path.

Defensive priority

Apply patches or mitigations to prevent exploitation of this vulnerability. Prioritize patching or mitigation based on the severity of the vulnerability and the potential impact on the organization.

Recommended defensive actions

  • Apply patches or updates to Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines.
  • Implement input validation and output encoding to prevent injection of malicious scripts.
  • Monitor Lucee CFML Server logs for suspicious activity.
  • Restrict access to the Lucee administrative interface.
  • Consider implementing a web application firewall to detect and prevent exploitation.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.

Evidence notes

The CVE record was published on 2026-07-10T15:16:39.007Z and was last modified on 2026-07-10T17:56:00.910Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines for potential exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T15:16:39.007Z and has not been modified since then. The NVD entry is currently Deferred.