Vulnerability detail

Enriched intelligence for a single CVE

5.4

CVSS
Medium

CVE-2021-21087

PUBLISHED

ColdFusion Improper neutralization of web input during page generation could lead to arbitrary JavaScript execution in the browser

Exploited in the wild Remote Low complexity

Vendor: Adobe
Product: ColdFusion
Published: Apr 15, 2021
EPSS: —

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.

nuclei_scanner

Weaknesses (CWE)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores

CVSS v3.0 5.4 Medium

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitation status

Exploited in the wild

Recorded 2025-07-26 00:00:00 UTC · The Shadowserver (via CIRCL)

References

https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL) First	2025-07-26 00:00 UTC

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21087.yaml	Apr 25, 2025

Timeline

CVE ID Reserved

2020-12-18 00:00 UTC
CVE Published to Public

2021-04-15 13:54 UTC
Detected by Nuclei

2025-04-25 00:00 UTC
Added to KEVIntel

2025-07-26 00:00 UTC