Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
Even so, as happens with about 30% of CF security updates, this one has potential breaking changes (which could affect some apps but not all), and there are also new jvm flags/args which would allow you to trade back that improved security for compatibility. You should consider such changes carefully before just applying the update in prod (as some do) or relying on only light testing of a few pages. The same care should be taken before just blithely sticking the jvm args in for compatibility sake.
Forewarned is forearmed. Read on for more.





Really appreciate the extra clarification you added on the XML/cfexchange changes, that saved me some digging.
Just one tiny thing: in the JVM flag list, "-Dcoldfusion.xml.saxon.allowResultDocumen" looks like it's missing the trailing "t". Adobe's Update 10 technote has it as "-Dcoldfusion.xml.saxon.allowResultDocument". Figured I'd flag it so nobody copy-pastes the wrong flag name.
Thanks again for all the resources you put out!
While my original comment here had the details, I have now moved them into the post itself, in the section, "What's the " blocked-extension list" referred to in the release notes, about cfexchange/cfpop/cfmail?", at
https://www.carehart.org/blog/2026/6/30/coldfusion_updates_released_jun_30_2026#blocked