Adobe has launched safety updates for 11 merchandise on January 2026 Patch Tuesday, addressing a complete of 25 vulnerabilities, together with a vital code execution flaw.
The critical-severity difficulty, tracked as CVE-2025-66516 (CVSS rating of 10/10), is an XML Exterior Entity (XXE) injection bug in Apache Tika modules that might be exploited through XFA recordsdata positioned inside PDF paperwork.
The safety defect was patched in early December, when Apache warned that profitable exploitation might result in info leaks, SSRF assaults, denial-of-service (DoS), or distant code execution (RCE).
On Tuesday, Adobe launched a ColdFusion safety replace to resolve CVE-2025-66516, noting that every one ColdFusion 2025 Replace 5 and earlier variations, and ColdFusion 2023 Replace 17 and earlier variations are affected, on all platforms.
The vulnerability was addressed in ColdFusion 2025 Replace 6 and ColdFusion 2023 Replace 18. Adobe has slapped a precedence ranking of ‘1’ on the safety bulletin, urging customers to replace as quickly as doable.
One other Adobe product that acquired an replace on January 2026 Patch Tuesday is Dreamweaver. The safety refresh resolves 5 high-severity flaws, 4 resulting in arbitrary code execution and one resulting in arbitrary system file write.Commercial. Scroll to proceed studying.
Excessive-severity safety defects had been resolved in Bridge, Illustrator, InCopy, InDesign, Substance 3D Modeler, Substance 3D Sampler, Substance 3D Stager, and Substance 3D Painter. For some merchandise, the updates additionally mounted medium-severity bugs.
Adobe additionally launched fixes for a medium-severity vulnerability in Substance 3D Designer, warning it might result in reminiscence leaks.
All of the remaining advisories have a precedence ranking of ‘3’, as the problems had been addressed in merchandise that haven’t been traditionally focused in assaults.
The corporate makes no point out of any of those vulnerabilities being exploited within the wild. Extra info may be discovered on Adobe’s safety advisories web page.
Microsoft on Tuesday patched 112 vulnerabilities, together with a zero-day exploited in assaults.
Associated: Microsoft Patches Exploited Home windows Zero-Day, 111 Different Vulnerabilities
Associated: SAP’s January 2026 Safety Updates Patch Important Vulnerabilities
Associated: Adobe Patches Almost 140 Vulnerabilities
Associated: Cyber Insights 2026: Exterior Assault Floor Administration
