Adobe ColdFusion (2023 release) Updates Release Notes

ColdFusion (2023 release) Update 16 (release date, 9 September, 2025) addresses an important security fix related to critical path traversal.

View the security bulletin APSB25-93 for more information.

For more details, see this tech note.

ColdFusion (2023) Update 15 includes important security fixes that mitigate vulnerabilities related to arbitrary file reads, code execution, privilege escalation, and security feature bypass.

The update also upgrades the underlying Tomcat engine to version 9.0.106 and resolves several issues reported in earlier updates.

View the security bulletin, APSB25-69, for more information.

For more details, see the tech note.

ColdFusion (2023 release) Update 14 (release date, May 13, 2025) resolves critical and important vulnerabilities that could lead to arbitrary file system reads, arbitrary code execution, privilege escalation, and security feature bypass. It also addresses the PDFg service-related issues from the previous ColdFusion updates.

View the security bulletin, APSB25-52, for more information.

For more details, see the tech note.

ColdFusion (2023 release) Update 13 (release date, April 08, 2025) resolves several critical vulnerabilities that could lead to arbitrary file system reading, arbitrary code execution, and security feature bypass.

View the security bulletin, APSB25-15, for more information.

For more details, see the tech note.

ColdFusion (2023 release) Update 12 (release date, December 20, 2024) resolves a critical vulnerability that could lead to arbitrary file system read.

View the security bulletin, APSB24-107, for more information.

For more details, see this tech note.

ColdFusion (2023 release) Update 11 (release date, October 15, 2024)  includes bug fixes and enhancements in Administrator, Language, CFSetup, Database, and other areas. The update also contains library upgrades, such as Jackson-data-bind, netty, ehcache, etc.

For more details, see this tech note.

ColdFusion (2023 release) Update 10 (release date, September 10, 2024) resolves a critical vulnerability that could lead to the deserialization of untrusted data. View the security bulletin, APSB24-71, for more information.

For more details, see this tech note.

In ColdFusion (2023 release) Update 9 (release date, August 20, 2024), we’ve upgraded Tomcat from version 9.0.85 to version 9.0.93.

For more details, see this tech note.

ColdFusion (2023 release) Update 8 (release date, June 11, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-41.

For more details, see this tech note.

ColdFusion (2023 release) Update 7 (release date, 12 March, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-14.

For more details, see this tech note.

ColdFusion (2023 release) Update 6 (release date, November 14, 2023) addresses vulnerabilities that are mentioned in the security bulletin, APSB23-52. These updates resolve a critical vulnerability that could lead to improper access control and security feature bypass.

For more details, see this tech note.

ColdFusion (2023 release) Update 5 (release date: October 6, 2023) includes bug fixes and enhancements in Administrator, Installer, Migration, Package manager, Database, and other areas. The update contains upgrades to Tomcat (v9.0.78) and other libraries, such as jackson-databind, Netty, etc. Note that this update is cumulative and includes fixes from the previous updates.

With this update, we are upgrading the library jackson-databind from 2.9.8 to 2.15.0. This library version does not support POJO deserialization of java.time.* .The objects return NULL objects, which leads to data loss from aws dynamodb and azure service bus. See the bug fix section for more information.

For more information, see the tech note.

ColdFusion (2023 release) Update 4 (release date, 16 August, 2023) introduces the ColdFusion serial filter that can be used to allow or disallow Java classes or packages for the deserialization of Wddx packets.

For more information, see the tech note.

ColdFusion (2023 release) Update 3 (release date, 19 July, 2023) addresses vulnerabilities that are mentioned in the security bulletin, APSB23-47. These updates resolve a critical vulnerability that could lead to improper access control and security feature bypass.

For more information, see the tech note.

ColdFusion (2023 release) Update 2 (release date, 14 July, 2023) addresses vulnerabilities  that could lead to arbitrary code execution.

For more information, security bulletin APSB23-41.

For more information, see the tech note.

ColdFusion (2023 release) Update 1 (release date, 11 July, 2023) addresses vulnerabilities  that could lead to arbitrary code execution and security feature bypass.

For more information, security bulletin APSB23-40.

For more information, see the tech note.