Adobe Patches Critical Apache Tika Bug in ColdFusion

Adobe Patches Critical Apache Tika Bug in ColdFusion

Posted on By CWS

Adobe has launched safety updates for 11 merchandise on January 2026 Patch Tuesday, addressing a complete of 25 vulnerabilities, together with a vital code execution flaw.

The critical-severity difficulty, tracked as CVE-2025-66516 (CVSS rating of 10/10), is an XML Exterior Entity (XXE) injection bug in Apache Tika modules that might be exploited through XFA recordsdata positioned inside PDF paperwork.

The safety defect was patched in early December, when Apache warned that profitable exploitation might result in info leaks, SSRF assaults, denial-of-service (DoS), or distant code execution (RCE).

On Tuesday, Adobe launched a ColdFusion safety replace to resolve CVE-2025-66516, noting that every one ColdFusion 2025 Replace 5 and earlier variations, and ColdFusion 2023 Replace 17 and earlier variations are affected, on all platforms.

The vulnerability was addressed in ColdFusion 2025 Replace 6 and ColdFusion 2023 Replace 18. Adobe has slapped a precedence ranking of ‘1’ on the safety bulletin, urging customers to replace as quickly as doable.

One other Adobe product that acquired an replace on January 2026 Patch Tuesday is Dreamweaver. The safety refresh resolves 5 high-severity flaws, 4 resulting in arbitrary code execution and one resulting in arbitrary system file write.Commercial. Scroll to proceed studying.

Excessive-severity safety defects had been resolved in Bridge, Illustrator, InCopy, InDesign, Substance 3D Modeler, Substance 3D Sampler, Substance 3D Stager, and Substance 3D Painter. For some merchandise, the updates additionally mounted medium-severity bugs.

Adobe additionally launched fixes for a medium-severity vulnerability in Substance 3D Designer, warning it might result in reminiscence leaks.

All of the remaining advisories have a precedence ranking of ‘3’, as the problems had been addressed in merchandise that haven’t been traditionally focused in assaults.

The corporate makes no point out of any of those vulnerabilities being exploited within the wild. Extra info may be discovered on Adobe’s safety advisories web page.

Microsoft on Tuesday patched 112 vulnerabilities, together with a zero-day exploited in assaults.

Associated: Microsoft Patches Exploited Home windows Zero-Day, 111 Different Vulnerabilities

Associated: SAP’s January 2026 Safety Updates Patch Important Vulnerabilities

Associated: Adobe Patches Almost 140 Vulnerabilities

Associated: Cyber Insights 2026: Exterior Assault Floor Administration

Security Week News Tags:, , , , , ,

Related Posts

Tim Kosiba Named NSA Deputy Director Tim Kosiba Named NSA Deputy Director Security Week News
Recent GeoServer Vulnerability Exploited in Attacks Recent GeoServer Vulnerability Exploited in Attacks Security Week News
Grafana Patches Chromium Bugs, Including Zero-Day Exploited in the Wild Grafana Patches Chromium Bugs, Including Zero-Day Exploited in the Wild Security Week News
Adobe ColdFusion Servers Targeted in Coordinated Campaign Adobe ColdFusion Servers Targeted in Coordinated Campaign Security Week News
OpenAI User Data Exposed in Mixpanel Hack OpenAI User Data Exposed in Mixpanel Hack Security Week News
Critical Apache Tika Vulnerability Leads to XXE Injection Critical Apache Tika Vulnerability Leads to XXE Injection Security Week News