Adobe on Tuesday announced the rollout of patches for nearly 140 vulnerabilities across its products, including critical-severity bugs in ColdFusion and Experience Manager.
ColdFusion received fixes for 12 security defects, most of which could be exploited for arbitrary code execution.
The most severe of these are CVE-2025-61808, CVE-2025-61809, and CVE-2025-61830 (CVSS score of 9.1), described as unrestricted dangerous file upload, improper input validation, and deserialization of untrusted data, respectively.
Fixes for all 12 bugs were included in ColdFusion 2025 update 5, ColdFusion 2023 update 7, and ColdFusion 2021 update 23.
This month, Experience Manager (AEM) received fixes for 117 vulnerabilities, 116 of which are cross-site scripting (XSS) flaws, including two critical-severity bugs, tracked as CVE-2025-64537 and CVE-2025-64539 (CVSS score of 9.3).
The remaining 114 XSS issues are medium-severity bugs. The update also resolves a high-severity defect described as dependency on a vulnerable third-party component.
AEM Cloud Service release 2025.12 and AEM versions 6.5 LTS SP1 (GRANITE-61551 Hotfix) and 6.5.24 resolve all security defects.
Adobe has slapped a priority rating of ‘1’ on both the ColdFusion and AEM updates, urging users to apply the fixes as soon as possible.
On Tuesday, the company also announced fixes for two high- and two medium-severity security holes in the DNG SDK, two high- and two low-severity issues in Acrobat and Reader, and one medium-severity flaw in Creative Cloud Desktop for macOS.
Adobe says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page.
Related: Adobe Patches 29 Vulnerabilities
Related: Exploitation of Critical Adobe Commerce Flaw Puts Many eCommerce Sites at Risk
Related: Organizations Warned of Exploited Adobe AEM Forms Vulnerability
Related: Adobe Patches Critical Vulnerability in Connect Collaboration Suite
