[Looking for Charlie's main web site?]

Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources

An update for ColdFusion has been released, June 30 2026, for each of CF2025 (as its update 10) and CF2023 (as its update 21).

In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

Even so, as happens with about 30% of CF security updates, this one has potential breaking changes (which could affect some apps but not all), and there are also new jvm flags/args which would allow you to trade back that improved security for compatibility. You should consider such changes carefully before just applying the update in prod (as some do) or relying on only light testing of a few pages. The same care should be taken before just blithely sticking the jvm args in for compatibility sake.

Forewarned is forearmed. Read on for more.

[....Continue Reading....]

Comments
Thanks for getting this out so fast, Charlie.
Really appreciate the extra clarification you added on the XML/cfexchange changes, that saved me some digging.

Just one tiny thing: in the JVM flag list, "-Dcoldfusion.xml.saxon.allowResultDocumen" looks like it's missing the trailing "t". Adobe's Update 10 technote has it as "-Dcoldfusion.xml.saxon.allowResultDocument". Figured I'd flag it so nobody copy-pastes the wrong flag name.

Thanks again for all the resources you put out!
# Posted By Roman | 7/1/26 12:43 AM
Thanks for all that, Roman. Corrected, and tweaked just a bit more. :-)
The change that blocks Unrestricted Upload of File with Dangerous Type does not note the file types that are blocked. Even the jvm arg listing that identifies the argument does not mention how to find out which file types are impacted. Do you know what they might be, Charlie?
# Posted By Jeff Horne | 7/1/26 11:03 AM
Good question, Jeff. And I now have the answer (I didn't notice this when I first posted the entry.)

While my original comment here had the details, I have now moved them into the post itself, in the section, "What's the " blocked-extension list" referred to in the release notes, about cfexchange/cfpop/cfmail?", at

https://www.carehart.org/blog/2026/6/30/coldfusion_updates_released_jun_30_2026#blocked
Ah, great!! Thank you as always Charlie!!
# Posted By Jeff Horne | 7/1/26 11:59 AM
I just noticed in this Update 10 installer text that the installer itself indicates that it tries to clear the felix-cache as part of the update process. Did you notice that, and is it new?
# Posted By Andy Peterson | 7/7/26 10:24 AM
Copyright ©2026 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the HTML in this page?)

Managed Hosting Services provided by
xByte cloud Hosting