Adobe Security Bulletin

Last updated on Jan 13, 2026

Security updates available for Adobe ColdFusion | APSB26-12

Bulletin ID	Date Published	Priority
APSB26-12	January 13, 2026	1

Summary

Adobe has released security updates for ColdFusion versions 2025 and 2023. These dependency update resolves a critical vulnerability that could lead to arbitrary code execution.

Affected Versions

Product	Update number	Platform
ColdFusion 2025	Update 5 and earlier versions	All
ColdFusion 2023	Update 17 and earlier versions	All

Solution

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Product	Updated Version	Platform	Priority rating	Availability
ColdFusion 2025	Update 6	All	1	Tech Note
ColdFusion 2023	Update 18	All	1	Tech Note

Note

For security reasons, we strongly recommend to use latest mysql java connector. For more information on its usage, please refer to: https://helpx.adobe.com/coldfusion/kb/coldfusion-configuring-mysql-jdbc.html

See the updated serial filter documentation for more details on protection against insecure deserialization attacks: https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html

Update to dependencies

CVE Number	Dependency	Vulnerability Impact	Affected Versions
CVE-2025-66516	Apache Tika	Arbitrary code execution	Update 5 and earlier Update 17 and earlier

For more information, please see: https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Acknowledgements:

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:   

Brian Reilly (reillyb) -- CVE-2025-61808, CVE-2025-61809
Nhien Pham (nhienit2010) -- CVE-2025-61812, CVE-2025-61822, CVE-2025-61823
nbxiglk -- CVE-2025-61810, CVE-2025-61811, CVE-2025-61813, CVE-2025-61821, CVE-2025-61830
Karol Mazurek (cr1m5on) -- CVE-2025-64897
bytehacker_sg -- CVE-2025-64898

NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe

Note

Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release as a secure practice. The ColdFusion downloads page is regularly updated to include the latest Java installers for the JDK version your installation supports as per the matrices below.

For instructions on how to use an external JDK, view Change ColdFusion JVM.

Adobe also recommends applying the security configuration settings included in the ColdFusion Security documentation as well as review the respective Lockdown guides.   

ColdFusion JDK Requirement

COLDFUSION 2025 (version 2023.0.0.331385) and above
For Application Servers

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**; " in the respective startup file depending on the type of Application Server being used.

For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;" in the respective startup file depending on the type of Application Server being used.

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

Get help faster and easier

New user?