Share
## https://sploitus.com/exploit?id=CFA31C7D-B336-529C-9469-4F88684AA898
# CVE-2026-29519-Lucee-Reflected-XSS
Proof of Concept for Reflected XSS in Lucee CFML (CVE-2026-29519)
# Framework 0-Day: Reflected XSS in Lucee CFML URL Parsing Affects Enterprise Deployments (Versions 5.3.1.95 to 7.x)
* **Discoverer:** Fouad Milat (lavado)
* **Date Discovered:** December 6, 2025
* **CVE:** CVE-2026-29519
* **Vendor:** Lucee Association
* **Product:** Lucee CFML Server
* **Affected Versions:** 22 versions from 5.3.1.95 up to 7.0.0.395 & 7.x (latest)
# Description
A critical 0-day Reflected Cross-Site Scripting (**XSS**) vulnerability has been discovered in Lucee CFML's URL path parsing mechanism. This vulnerability allows attackers to inject and execute arbitrary **HTML/JavaScript** in the context of the Lucee application, including the administrative interface. The vulnerability affects **22** different **Lucee** versions spanning from **5.3.1.95** through the latest **7.x** release.
### Affected Versions
**22** versions from **5.3.1.95** through **7.0.1.100**, including all 7.x snapshots.
| Version | Status | Notes |
| ------------- | ------------- | :-------------:|
| 7.0.0.395 | β
VULNERABLE | Latest 7.x release |
| 6.2.3.35 | β
VULNERABLE | Latest 6.2.x patch |
| 6.2.2.91 | β
VULNERABLE | |
| 6.2.1.122 | β
VULNERABLE | |
| 6.2.0.321 | β
VULNERABLE | Original discovery version |
| 6.1.2.47 | β
VULNERABLE | |
| 6.1.1.118 | β
VULNERABLE | |
| 6.1.0.243 | β
VULNERABLE | |
| 5.3.7.59 | β
VULNERABLE | |
| 5.3.7.47 | β
VULNERABLE | |
| 5.3.7.43 | β
VULNERABLE | |
| 5.3.6.68 | β
VULNERABLE | |
| 5.3.6.61 | β
VULNERABLE | |
| 5.3.5.96 | β
VULNERABLE | |
| 5.3.5.92 | β
VULNERABLE | |
| 5.3.4.80 | β
VULNERABLE | |
| 5.3.4.77 | β
VULNERABLE | Shows debug info in homepage |
| 5.3.3.67-SNAPSHOT | β
VULNERABLE | |
| 5.3.3.62 | β
VULNERABLE | |
| 5.3.2.77 | β
VULNERABLE | |
| 5.3.1.102 | β
VULNERABLE | |
| 5.3.1.95 | β
VULNERABLE | |
# Proof of Concept
```bash
# 1. Start a vulnerable Lucee instance (example: 6.2.0.321 or Latest 7.x)
docker run -d -p 8888:8888 --name lucee-test lucee/lucee:6.2.0.321
# 2. Wait 35-40 seconds for initialization
sleep 40
# 3. Test the vulnerability by visiting:
http://[lucee-host]/test//index.cfm/
# 4. Observe JavaScript execution (alert dialog appears).
# 5. Clean up
docker stop lucee-test 2>/dev/null; docker rm lucee-test 2>/dev/null
```
# Patch
No official patch has been released by Lucee, as the vendor did not respond to this report. However, the following versions are **not vulnerable**:
**Secure Versions (Not Vulnerable)**
Companies can upgrade/downgrade to these versions to avoid the XSS:
**6.0.x Branch (Secure)**
* 6.0.4.10 (latest secure 6.0.x)
* 6.0.3.1
* 6.0.2.45
* 6.0.1.83
* 6.0.0.585-SNAPSHOT-light-nginx
**5.4.x Branch (Secure)**
* 5.4.8.2 (latest secure 5.4.x)
* 5.4.7.3
* 5.4.7.2
* 5.4.6.9
* 5.4.5.23
* 5.4.4.38
* 5.4.3.16
* 5.4.3.15
* 5.4.3.2
* 5.4.2.17
* 5.4.1.8
* 5.4.0.80
**5.3.x Branch (Some Secure)**
* 5.3.12.1
* 5.3.11.5
* 5.3.10.120
* 5.3.10.97
* 5.3.9.173
* 5.3.9.166
* 5.3.9.160
* 5.3.9.141
* 5.3.9.133
* 5.3.8.237
* 5.3.8.206
* 5.3.8.205-SNAPSHOT
* 5.3.8.201
* 5.3.8.189
### Testing Methodology
> Environment
- **Testing Duration:** 18+ hours manual testing
- **Versions Tested:** 50+ Lucee releases (4.5.1.024 through 7.0.0.395)
- **Platform:** Docker containers on Ubuntu Linux
- **Tools:** curl, manual browser testing, Burp Suite
# Recommendation for Companies
1- **Upgrade to the latest secure version:**
* If on 6.x: Upgrade to 6.0.4.10 (or any 6.0.x above 6.0.1.83).
* If on 5.x: Upgrade to 5.4.8.2 (or any secure 5.4.x).
2- **If upgrading is not possible**, apply a temporary WAF rule to block HTML tags in URL paths. Example (nginx):
`location ~* "" { return 403; }`
3- **Monitor Lucee's official channels** for a future security patch. Since the vendor has been unresponsive, companies should also consider reaching out directly to Lucee for a fix.
## Diagram
### CVSS 3.1 Assessment
| Metric | Value | Explanation |
| ------------- | ------------- | ------------- |
| Attack Vector | Network | Exploitable remotely over network |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | Required | Victim must click malicious link |
| Scope | changed | The vulnerability resides in the server but impacts the user's browser session, crossing a security boundary. |
| Confidentiality | High | Can steal credentials, session data |
| Integrity | Low |Can modify page content, perform CSRF |
| Availability | None | No direct availability impact|
**CVSS Score: 7.4** (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
## Disclosure Timeline
- **2025-12-06:** Initial report sent to `security@lucee.org` and private GitHub Security Advisory (GHSA-6x3c-35h8-3h9f) created. No response.
- **2026-03-10:** Report submitted to VulnCheck for coordinated disclosure.
- **2026-03-10:** CVE-2026-29519 provisionally assigned.
- **2026-03-30:** VulnCheck confirms no reply from Lucee after outreach.
- **2026-05-01:** Reβtested latest stable and snapshots β vulnerability still present.
- **2026-07-08:** Public disclosure after 7 months of vendor silence.
## Impact
- Preβauthentication XSS
- Credential phishing
## Remediation
- downgrade to patched versions.
- Sanitize HTML tags from URL paths.
- Validate URL paths before processing.
### References
1. [Lucee Documentation](https://docs.lucee.org/)
2. [OWASP XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
3. [CWE-79](https://cwe.mitre.org/data/definitions/79.html)
4. [CVSS Calculator](https://www.first.org/cvss/calculator/3.1)
###### *Fouad Milat @lavado*