Adobe has released patches for 25 vulnerabilities across its products, including a critical Apache Tika flaw in ColdFusion.
January 13, 2026 By Ionut Arghire
Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw.
The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents.
The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).
On Tuesday, Adobe released a ColdFusion security update to resolve CVE-2025-66516, noting that all ColdFusion 2025 Update 5 and earlier versions, and ColdFusion 2023 Update 17 and earlier versions are affected, on all platforms.
The vulnerability was addressed in ColdFusion 2025 Update 6 and ColdFusion 2023 Update 18. Adobe has slapped a priority rating of ‘1’ on the security bulletin, urging users to update as soon as possible.