Adobe Patches 25 Vulnerabilities Across Creative Cloud and ColdFusion
Adobe's January security update addresses 25 CVEs across 11 products including InDesign, Illustrator, and ColdFusion, with none under active exploitation.
Adobe has released its January 2026 security update, addressing 25 vulnerabilities across 11 products in the Creative Cloud and ColdFusion portfolios. None of the patched vulnerabilities are currently under active exploitation, giving organizations time to test and deploy updates.
Products Updated
The January security bulletins cover the following Adobe products:
- ColdFusion: 1 critical vulnerability (Priority 1)
- Dreamweaver: 5 critical code execution bugs
- InDesign: 5 vulnerabilities (4 critical)
- Illustrator: 2 vulnerabilities (1 critical)
- InCopy: 1 critical code execution bug
- Bridge: 1 critical code execution bug
- Substance 3D Modeler, Stager, Painter, Sampler, Designer: Various fixes
ColdFusion Priority 1 Update
The ColdFusion update (APSB26-01) addresses CVE-2025-66516, a critical XML External Entity (XXE) vulnerability in Apache Tika libraries. Despite the Priority 1 rating, Adobe confirms the vulnerability is not publicly known or under active attack.
Adobe strongly recommends applying the ColdFusion update as soon as possible due to the critical nature of XXE vulnerabilities, which can lead to:
- Server-side request forgery (SSRF)
- Sensitive data disclosure
- Denial of service conditions
Creative Cloud Updates
The Creative Cloud application updates address primarily memory corruption vulnerabilities that could allow code execution if users open maliciously crafted files. Attack vectors include:
- Malicious document files (InDesign, Illustrator)
- Crafted image files (Bridge, Substance 3D products)
- Web content (Dreamweaver)
Deployment Priority
Adobe assigns deployment priorities to help organizations plan updates:
- Priority 1 (ColdFusion): Deploy within 72 hours
- Priority 3 (All others): Deploy at administrator's discretion
New Monthly Patch Cycle
Starting in 2026, Adobe Commerce is transitioning from quarterly to monthly security patches, making it easier for administrators to maintain current security without major upgrades. This change reflects Adobe's commitment to more agile security response.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.