Adobe Patches Critical Apache Tika Bug in ColdFusion

Adobe Patches Critical Apache Tika Bug in ColdFusion

Posted on By CWS

Adobe has launched safety updates for 11 merchandise on January 2026 Patch Tuesday, addressing a complete of 25 vulnerabilities, together with a vital code execution flaw.

The critical-severity difficulty, tracked as CVE-2025-66516 (CVSS rating of 10/10), is an XML Exterior Entity (XXE) injection bug in Apache Tika modules that might be exploited through XFA recordsdata positioned inside PDF paperwork.

The safety defect was patched in early December, when Apache warned that profitable exploitation might result in info leaks, SSRF assaults, denial-of-service (DoS), or distant code execution (RCE).

On Tuesday, Adobe launched a ColdFusion safety replace to resolve CVE-2025-66516, noting that every one ColdFusion 2025 Replace 5 and earlier variations, and ColdFusion 2023 Replace 17 and earlier variations are affected, on all platforms.

The vulnerability was addressed in ColdFusion 2025 Replace 6 and ColdFusion 2023 Replace 18. Adobe has slapped a precedence ranking of ‘1’ on the safety bulletin, urging customers to replace as quickly as doable.

One other Adobe product that acquired an replace on January 2026 Patch Tuesday is Dreamweaver. The safety refresh resolves 5 high-severity flaws, 4 resulting in arbitrary code execution and one resulting in arbitrary system file write.Commercial. Scroll to proceed studying.

Excessive-severity safety defects had been resolved in Bridge, Illustrator, InCopy, InDesign, Substance 3D Modeler, Substance 3D Sampler, Substance 3D Stager, and Substance 3D Painter. For some merchandise, the updates additionally mounted medium-severity bugs.

Adobe additionally launched fixes for a medium-severity vulnerability in Substance 3D Designer, warning it might result in reminiscence leaks.

All of the remaining advisories have a precedence ranking of ‘3’, as the problems had been addressed in merchandise that haven’t been traditionally focused in assaults.

The corporate makes no point out of any of those vulnerabilities being exploited within the wild. Extra info may be discovered on Adobe’s safety advisories web page.

Microsoft on Tuesday patched 112 vulnerabilities, together with a zero-day exploited in assaults.

Associated: Microsoft Patches Exploited Home windows Zero-Day, 111 Different Vulnerabilities

Associated: SAP’s January 2026 Safety Updates Patch Important Vulnerabilities

Associated: Adobe Patches Almost 140 Vulnerabilities

Associated: Cyber Insights 2026: Exterior Assault Floor Administration

Security Week News Tags:, , , , , ,

Related Posts

Pakistan-Linked Cyber Espionage Targets India’s Defense Pakistan-Linked Cyber Espionage Targets India’s Defense Security Week News
LinkedIn Under Scrutiny: Allegations of Privacy Invasion LinkedIn Under Scrutiny: Allegations of Privacy Invasion Security Week News
AI Tools Used in Cyberattack on Mexican Water Utility AI Tools Used in Cyberattack on Mexican Water Utility Security Week News
Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data Security Week News
TransUnion Data Breach Impacts 4.4 Million TransUnion Data Breach Impacts 4.4 Million Security Week News
Chrome 140 Update Patches Sixth Zero-Day of 2025 Chrome 140 Update Patches Sixth Zero-Day of 2025 Security Week News