The Experience Manager security update resolves 117 vulnerabilities, including 116 identified as cross-site scripting (XSS) bugs.
December 9, 2025 By Ionut Arghire
Adobe on Tuesday announced the rollout of patches for nearly 140 vulnerabilities across its products, including critical-severity bugs in ColdFusion and Experience Manager.
ColdFusion received fixes for 12 security defects, most of which could be exploited for arbitrary code execution.
The most severe of these are CVE-2025-61808, CVE-2025-61809, and CVE-2025-61830 (CVSS score of 9.1), described as unrestricted dangerous file upload, improper input validation, and deserialization of untrusted data, respectively.
Fixes for all 12 bugs were included in ColdFusion 2025 update 5, ColdFusion 2023 update 7, and ColdFusion 2021 update 23.
This month, Experience Manager (AEM) received fixes for 117 vulnerabilities, 116 of which are cross-site scripting (XSS) flaws, including two critical-severity bugs, tracked as CVE-2025-64537 and CVE-2025-64539 (CVSS score of 9.3).
The remaining 114 XSS issues are medium-severity bugs. The update also resolves a high-severity defect described as dependency on a vulnerable third-party component.
AEM Cloud Service release 2025.12 and AEM versions 6.5 LTS SP1 (GRANITE-61551 Hotfix) and 6.5.24 resolve all security defects.
