Adobe Patches Critical Apache Tika Bug in ColdFusion

Adobe Patches Critical Apache Tika Bug in ColdFusion

Posted on By CWS

Adobe has launched safety updates for 11 merchandise on January 2026 Patch Tuesday, addressing a complete of 25 vulnerabilities, together with a vital code execution flaw.

The critical-severity difficulty, tracked as CVE-2025-66516 (CVSS rating of 10/10), is an XML Exterior Entity (XXE) injection bug in Apache Tika modules that might be exploited through XFA recordsdata positioned inside PDF paperwork.

The safety defect was patched in early December, when Apache warned that profitable exploitation might result in info leaks, SSRF assaults, denial-of-service (DoS), or distant code execution (RCE).

On Tuesday, Adobe launched a ColdFusion safety replace to resolve CVE-2025-66516, noting that every one ColdFusion 2025 Replace 5 and earlier variations, and ColdFusion 2023 Replace 17 and earlier variations are affected, on all platforms.

The vulnerability was addressed in ColdFusion 2025 Replace 6 and ColdFusion 2023 Replace 18. Adobe has slapped a precedence ranking of ‘1’ on the safety bulletin, urging customers to replace as quickly as doable.

One other Adobe product that acquired an replace on January 2026 Patch Tuesday is Dreamweaver. The safety refresh resolves 5 high-severity flaws, 4 resulting in arbitrary code execution and one resulting in arbitrary system file write.Commercial. Scroll to proceed studying.

Excessive-severity safety defects had been resolved in Bridge, Illustrator, InCopy, InDesign, Substance 3D Modeler, Substance 3D Sampler, Substance 3D Stager, and Substance 3D Painter. For some merchandise, the updates additionally mounted medium-severity bugs.

Adobe additionally launched fixes for a medium-severity vulnerability in Substance 3D Designer, warning it might result in reminiscence leaks.

All of the remaining advisories have a precedence ranking of ‘3’, as the problems had been addressed in merchandise that haven’t been traditionally focused in assaults.

The corporate makes no point out of any of those vulnerabilities being exploited within the wild. Extra info may be discovered on Adobe’s safety advisories web page.

Microsoft on Tuesday patched 112 vulnerabilities, together with a zero-day exploited in assaults.

Associated: Microsoft Patches Exploited Home windows Zero-Day, 111 Different Vulnerabilities

Associated: SAP’s January 2026 Safety Updates Patch Important Vulnerabilities

Associated: Adobe Patches Almost 140 Vulnerabilities

Associated: Cyber Insights 2026: Exterior Assault Floor Administration

Security Week News Tags:, , , , , ,

Related Posts

Dataminr to Acquire ThreatConnect for 0 Million Dataminr to Acquire ThreatConnect for $290 Million Security Week News
Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities Security Week News
Microsoft Patch Tuesday Covers WebDAV Flaw Marked as ‘Already Exploited’ Microsoft Patch Tuesday Covers WebDAV Flaw Marked as ‘Already Exploited’ Security Week News
Is AI Use in the Workplace Out of Control? Is AI Use in the Workplace Out of Control? Security Week News
Critical Security Flaw in BeyondTrust Products Patched Critical Security Flaw in BeyondTrust Products Patched Security Week News
The AI Arms Race: Deepfake Generation vs. Detection The AI Arms Race: Deepfake Generation vs. Detection Security Week News