Announcing CF update released Jul 14 2023 - a second priority 1 security update in one week
For more on the update, and some additional thoughts, read on.
For more on the update, and some additional thoughts, read on.
Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
Announcing ColdFusion updates of Jun 9 2026 - p1 security update - thoughts and resources
Announcing major ColdFusion 2025 update of May 20 2026 - thoughts and resources
About the coming (massive) CF2025 "AI update", prerelease links and more
Announcing Java updates of Apr 21 2026 - thoughts and resources
Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
Jeff Horne said:
Ah, great!! Thank you as always Charlie!!
Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
Charlie Arehart said:
Good question, Jeff. And I now have the answer (I didn't notice this when I first posted t
...
[more]
Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
Jeff Horne said:
The change that blocks Unrestricted Upload of File with Dangerous Type does not note the file types
...
[more]
Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
Charlie Arehart said:
Thanks for all that, Roman. Corrected, and tweaked just a bit more. :-)
Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
Roman said:
Thanks for getting this out so fast, Charlie.
Really appreciate the extra clarification you
...
[more]


I will note that while that post indicates that "There is currently no mitigation", that may not be the final/complete answer. Note how it refers to the _cfclient querystring, and notice that in my first post last week (on the Jul 11 CF update), I did point out how my March blog post on the previous CF update discussed ways to BLOCK ALL REQUESTS using that _cfclient querystring. I also elaborate there on what it's about, how one can determine if they may have any legit use of it (most do not), and much more. See https://www.carehart...
As I've said elsewhere, it's just not clear how many of the recently closed vulns DO work based on the _cfclient querystring. That post is about all we have to go on, as I've not seen any others. While those on cf2018 and above can apply these fixes to address what Adobe has found, it's just not clear (for now) what those on cf2016 can or should do, other than block requests with that querystring.