Share
## https://sploitus.com/exploit?id=CFA31C7D-B336-529C-9469-4F88684AA898
# CVE-2026-29519-Lucee-Reflected-XSS
Proof of Concept for Reflected XSS in Lucee CFML (CVE-2026-29519)

# Framework 0-Day: Reflected XSS in Lucee CFML URL Parsing Affects Enterprise Deployments (Versions 5.3.1.95 to 7.x)

* **Discoverer:** Fouad Milat (lavado)  
* **Date Discovered:** December 6, 2025  
* **CVE:** CVE-2026-29519 
* **Vendor:** Lucee Association
* **Product:** Lucee CFML Server
* **Affected Versions:** 22 versions from 5.3.1.95 up to 7.0.0.395 & 7.x (latest)

# Description
A critical 0-day Reflected Cross-Site Scripting (**XSS**) vulnerability has been discovered in Lucee CFML's URL path parsing mechanism. This vulnerability allows attackers to inject and execute arbitrary **HTML/JavaScript** in the context of the Lucee application, including the administrative interface. The vulnerability affects **22** different **Lucee** versions spanning from **5.3.1.95** through the latest **7.x** release.

### Affected Versions
**22** versions from **5.3.1.95** through **7.0.1.100**, including all 7.x snapshots.

| Version | Status | Notes |
| ------------- | ------------- | :-------------:|
|  7.0.0.395  | βœ… VULNERABLE | Latest 7.x release |
|  6.2.3.35  | βœ… VULNERABLE | Latest 6.2.x patch |
|  6.2.2.91  | βœ… VULNERABLE |  |
|  6.2.1.122  | βœ… VULNERABLE |  |
|  6.2.0.321  | βœ… VULNERABLE | Original discovery version |
|  6.1.2.47  | βœ… VULNERABLE |  |
|  6.1.1.118  | βœ… VULNERABLE |  |
|  6.1.0.243  | βœ… VULNERABLE |  |
|  5.3.7.59  | βœ… VULNERABLE |  |
|  5.3.7.47  | βœ… VULNERABLE |  |
|  5.3.7.43  | βœ… VULNERABLE |  |
|  5.3.6.68  | βœ… VULNERABLE |  |
|  5.3.6.61  | βœ… VULNERABLE |  |
|  5.3.5.96  | βœ… VULNERABLE |  |
|  5.3.5.92  | βœ… VULNERABLE |  |
|  5.3.4.80  | βœ… VULNERABLE |  |
|  5.3.4.77  | βœ… VULNERABLE | Shows debug info in homepage |
|  5.3.3.67-SNAPSHOT	 | βœ… VULNERABLE |  |
|  5.3.3.62  | βœ… VULNERABLE |  |
|  5.3.2.77  | βœ… VULNERABLE |  |
|  5.3.1.102  | βœ… VULNERABLE |  |
|  5.3.1.95  | βœ… VULNERABLE |  |


# Proof of Concept
```bash
# 1. Start a vulnerable Lucee instance (example: 6.2.0.321 or Latest 7.x)
docker run -d -p 8888:8888 --name lucee-test lucee/lucee:6.2.0.321

# 2. Wait 35-40 seconds for initialization
sleep 40

# 3. Test the vulnerability by visiting:
http://[lucee-host]/test//index.cfm/

# 4. Observe JavaScript execution (alert dialog appears).

# 5. Clean up
docker stop lucee-test 2>/dev/null; docker rm lucee-test 2>/dev/null

```





# Patch

No official patch has been released by Lucee, as the vendor did not respond to this report. However, the following versions are **not vulnerable**:

**Secure Versions (Not Vulnerable)**

Companies can upgrade/downgrade to these versions to avoid the XSS:

**6.0.x Branch (Secure)**
* 6.0.4.10 (latest secure 6.0.x)
* 6.0.3.1
* 6.0.2.45
* 6.0.1.83
* 6.0.0.585-SNAPSHOT-light-nginx

**5.4.x Branch (Secure)**
* 5.4.8.2 (latest secure 5.4.x)
* 5.4.7.3
* 5.4.7.2
* 5.4.6.9
* 5.4.5.23
* 5.4.4.38
* 5.4.3.16
* 5.4.3.15
* 5.4.3.2
* 5.4.2.17
* 5.4.1.8
* 5.4.0.80

**5.3.x Branch (Some Secure)**
* 5.3.12.1
* 5.3.11.5
* 5.3.10.120
* 5.3.10.97
* 5.3.9.173
* 5.3.9.166
* 5.3.9.160
* 5.3.9.141
* 5.3.9.133
* 5.3.8.237
* 5.3.8.206
* 5.3.8.205-SNAPSHOT
* 5.3.8.201
* 5.3.8.189

### Testing Methodology

> Environment

- **Testing Duration:** 18+ hours manual testing

- **Versions Tested:** 50+ Lucee releases (4.5.1.024 through 7.0.0.395)

- **Platform:** Docker containers on Ubuntu Linux

- **Tools:** curl, manual browser testing, Burp Suite

# Recommendation for Companies
1- **Upgrade to the latest secure version:**

* If on 6.x: Upgrade to 6.0.4.10 (or any 6.0.x above 6.0.1.83).
* If on 5.x: Upgrade to 5.4.8.2 (or any secure 5.4.x).

2- **If upgrading is not possible**, apply a temporary WAF rule to block HTML tags in URL paths. Example (nginx):
`location ~* "" { return 403; }`

3- **Monitor Lucee's official channels** for a future security patch. Since the vendor has been unresponsive, companies should also consider reaching out directly to Lucee for a fix.

## Diagram


### CVSS 3.1 Assessment

| Metric  | Value | Explanation |
| ------------- | ------------- | ------------- |
| Attack Vector | Network | Exploitable remotely over network |
| Attack Complexity | Low  | No special conditions required |
| Privileges Required	 | None | No authentication needed |
| User Interaction | Required  | Victim must click malicious link |
| Scope  | changed  | The vulnerability resides in the server but impacts the user's browser session, crossing a security boundary. |
|  Confidentiality |  High | Can steal credentials, session data |
| Integrity  | Low |Can modify page content, perform CSRF |
| Availability | None | No direct availability impact|

**CVSS Score: 7.4** (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)

## Disclosure Timeline

- **2025-12-06:** Initial report sent to `security@lucee.org` and private GitHub Security Advisory (GHSA-6x3c-35h8-3h9f) created. No response.
- **2026-03-10:** Report submitted to VulnCheck for coordinated disclosure.
- **2026-03-10:** CVE-2026-29519 provisionally assigned.
- **2026-03-30:** VulnCheck confirms no reply from Lucee after outreach.
- **2026-05-01:** Re‑tested latest stable and snapshots – vulnerability still present.
- **2026-07-08:** Public disclosure after 7 months of vendor silence.


## Impact
- Pre‑authentication XSS
- Credential phishing

## Remediation
- downgrade to patched versions.
- Sanitize HTML tags from URL paths.
- Validate URL paths before processing.

### References
1. [Lucee Documentation](https://docs.lucee.org/)
2. [OWASP XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
3. [CWE-79](https://cwe.mitre.org/data/definitions/79.html)
4. [CVSS Calculator](https://www.first.org/cvss/calculator/3.1)


###### *Fouad Milat @lavado*