An update for ColdFusion has been released, Apr 14 2026, for each of cf2025 (as its update 7) and cf2023 (as its update 19). In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

(This is the second update since CF2021 has reached its end of life as I blogged previously, which is something folks running that should beware. You are now QUITE exposed to things fixed in these two updates, for which there is no fix for you.)

In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update.

For more, read on.

(And FWIW I'll note that having installed the update for each of the releases on multiple machines, I can report that it went well.)

Following are the topics discussed in this post:

• Finding the update (and more about it)
  • What are the security issues addressed in the update?
  • What's changed in the update?
  • Packages updated in this update
  • Improvements labeled as "bugs fixed" in this update
  • "Known issues" that remain after the update, with workarounds
• Things to beware BEFORE doing any CF update
  • Changes, as a result of any CF updates you may be skipping
  • Beware also that if you'd modified the pathfilter.json file introduced in the May 2025 CF update, sadly that file will be overwritten
• How can you assess if the update went well?
  • 1) Check the update log, both for success applying the update
  • 2) Check that same update log, for success in the update downloading any updated package
  • 3) Check the coldfusion-out.log for success during UPDATING of any packages
• A few other topics generic to recent CF updates, which you may want to consider
• On getting help with the update(s)

I appreciate that some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out earlier today (the day of the update's release). Beside testing om multiple machines, I also take time to consider feedback shared in the community, or things I learn as I offered help to them and my own clients. (So far, again, I'm not aware of any issues. That said, sometimes issues arise due to caching--with respect to "seeing" or downloading the update. Only time will tell, but such problems inevitably do pass.)

Finding the update (and more about it)

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically:

• The Adobe CF forums announcement of the update
• Adobe Portal/blog announcement of the update

(There tends to be more "discussion" from community members in the forum announcement than the blog post, though not always.)

And those announcements point to the very important technote available for each version:

• ColdFusion (2025 release) Update 7
• ColdFusion (2023 release) Update 19

What are the security issues addressed in the update?

If you read the Adobe Product Security Bulletin or APSB for this update, it indicates that it's a Priority 1 "Critical" update, and the various CVEs listed in the bulletin range from having a CVSS score from 2.4 to 9.3 out of 10. The bulletin clarifies the specific NIST CVEs addressed.

You can read the bulletin for the boilerplate identification of the issues, and the CVE documents. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.

What's changed in the update?

This update, unlike most others, has no other changes except those related to addressing these vulnerabilities.

Packages updated in this update

As is the case with many of the CF updates, this one does include updates to ome of its packages: 3 of them for both versions. Note that there is also a table at the bottom of each technote indicating what packages were updated.

Improvements labeled as "bugs fixed" in this update

This update has no indication of any bugs fixed, at the time of this writing.

"Known issues" that remain after the update, with workarounds

This update has no indication of any known issues, at the time of this writing

Things to beware BEFORE doing any CF update

Before you may proceed with the update, I want to share some more information that you should consider BEFORE doing the update.

Changes, as a result of any CF updates you may be skipping

First, when we may say that "these are the things changed per this update", or perhaps "there are no bug fixes/changes/known issues", it's important to note that this is referring specifically to THIS update--and it's presuming you are coming from the immediately preceding update.

If instead you had SKIPPED that one or any before it, then (while it's true you can just move to this latest update) note that you MUST take into consideration whatever is indicated as having changed in that/those prior updates you're skipping.

The technote and Adobe resource pages about the update do offer a link to a page listing ALL updates for each CF version, to facilitate that effort.

Most important, perhaps, note that some CF updates introduce breaking changes (where Adobe is sacrificing compatibility for the sake of security). In those cases, they may identify (in the technotes) some new jvm arg which, if added to CF's startup args (like in the jvm.config file or the CF Admin "java & jvm" page), may revert that change of behavior (sacrificing that one security improvement for the sake of compatibility).

Again, see the update technotes for any you may be skipping, to see if they may offer such a new JVM arg. And FWIW, I try to do a blog post on each of the CF updates, so you can look also at those for more info. Here's the link to my category of posts on most of the previous updates, where I tend to cover these important breaking changes and any jvm args.

Finally, note that Adobe has recently started to track in a separate page what those new jvm args are. There's one list for CF2025 and another for CF2023 and 2021. Sometimes these pages may say a bit more than the update technotes do, but rarely. See both.

Beware also that if you'd modified the pathfilter.json file introduced in the May 2025 CF update, sadly that file will be overwritten

More specifically, here's a matter that applies to the update to both CF2025 and 2023. It started happening with the update in July 2025, and it's still happening. Technically, it applies only to people who a) had applied the May update or later and then b) had modified the new pathfilter.json file introduced in that May update (see my post on that May update for more) used for whitelisting folders used for scheduled task output, using precompiled code, or controlling the location of the use of CF CAR files:

If you have added custom entries to the pathfilter.json file (in cfusion/lib or [instancename]/lib), note that this file is REMOVED and replaced by a default version in the update. You must either:

• Back up the pathfilter.json file before applying the update, to restore it afterward
• Or restore it from the backup folder created by the update itself, after you apply the update.

The backup copy of the file can be found along with many other CF files that are backed up during updates, in the "hf-updates" subfolder created for the update you applied, where you'll find it in \backup\lib\pathfilter.json

One more thing to beware on this matter: the Dec 2025 update added a NEW section to that file (related to CAR file processing), so you can't simply restore your file from BEFORE this update over top of that. You should fold any changes you previously made into that new version of the file created with that update.

The update technote doesn't warn of either of the issues above, but previous updates did and the concern still applies, as I tested it today. (If I learn otherwise, I will update this.)

How can you assess if the update went well?

So with the above out of the way, you may be ready to "give it a shot". And it's easy enough to apply updates, especially using the CF Admin.

And when you have applied a CF update, it's easy to think, "well, if CF came back up, I'm good". That's not true. There MAY have been an error during the update--or during the applying of package updates (which happen during the first startup of CF after the update). You should always check these things, as a best practice.

1) Check the update log, both for success applying the update

When the update is finished (and CF is restarted), the update mechanism (a java process that CF launches to do the update) will write a log file to the cfusion/hf-updates folder, in the subfolder named for the update you just did (such as--for CF2025 update 7: \ColdFusion2025\cfusion\hf-updates\hf-2025-00007-331586, which of course will vary for each update) And the log file will have a name like Adobe_ColdFusion_2025_Update_7_Install_04_14_2026_18_57_33.log, which again will vary for each update--but note that it includes the time of the update.

In that file, look at about line 70 which will show a table of "successes" and "fatalerrors" and "nonfatalerrors". You want to see 0 of the latter two. There is also a count of "warnings", but 1 or even a couple may be insignificant.

If there were errors, there can be any of many explanations. I covered some of the more common ones first in a blog post several years ago How to solve common problems with applying ColdFusion updates. See also a 2025 presentation I did, Solving Common Problems with CF Updates (PDF and recording offered there).

But before closing the log file, see the next section.

2) Check that same update log, for success in the update downloading any updated package

New since CF2021, CF is now modular (based on OSGI) such that most CF features are organized info "packages" (or "modules") that you can choose to implement or not. And most CF updates (but not all) include some packages update/s.

As such, we also need to make sure such package updates go well when applying a CF update. And the first place to watch for is in that same update log from the previous section. See the bottom of the log, where it may report one or many packages (and related "jar" files) being downloaded (or it may report, "All the packages are already updated as per the current core update level.")

A key point to note is that it's NOT the CF update (tracked in this log) which PERFORMS the package update. Instead, it ONLY attempts to DOWNLOAD whatever packages will need to be updated. It's then on the next CF STARTUP (which happens automatically after a CF update) that any packages are updated.

To wit, the last (and equally important) thing to check is...

3) Check the coldfusion-out.log for success during UPDATING of any packages

The coldfusion-out.log tracks most of what happens during startup of CF (there is also information in the coldfusion-error.log: and of course if you run CF from the command line rather than as a service, the info normally sent to these files is sent to your console instead.) But regarding updates, it tracks if any packages you have installed are updated (which happens during that startup).

So after performing a CF update, and assuming the update log indicated that there were package updates downloaded, you would look to the BOTTOM of the coldfusion-out.log (assuming CF just restarted), to observe the lines that discuss CF first "uninstalling" any packages (and related jars) that were updated. Then it will show that any implemented packages are "started" (it never shows it "installing" or "updating" the packages, per se). We want to watch for any errors that occur (well, pay attention especially to any which may not be happening on every CF startup.)

It could be several dozen or more lines which are written during CF startup, depending on a) the number of packages you've installed and b) how many needed to be updated. If you have trouble interpreting problems you see, see the final section here where I can help, remotely, and often nearly immediately.

A few other topics generic to recent CF updates, which you may want to consider

Before wrapping up, there are a few other matters that may interest you generally apply to ALL the updates.

You should strongly consider the suggestion to "delete the felix-cache"

The first is that while it's not mentioned in every update technote, there has been in the technotes for previous recent CF updates an indication that after doing the update, one should stop CF after the update and delete the cfusion/bin/felix-cache folder, then restart CF. CF will instantly recreate the folder and its files upon the next CF startup.

(While it's true that updates in early 2025 started doing a delete of the felix-cache folder as a FIRST step in the update process, that doesn't help if the update did update packages, in which case it's wise to delete it again AFTER the update, as discussed here. Again, this is just a recommended practie from my experience helping with hundreds of CF updates, not something Adobe mandates.)

There's no reason NOT to do this, and it HAS been known to fix issues that lingered after an update.

And do repeat that step for any instances other than "cfusion" which you may have, which can be created optionally if running CF Enterprise or the Developer or Trial edition.

Other update topics to consider

Beyond that, there are a few more topics which I have covered in my previous blog posts on the updates. What I said in them applies generally to this one as well--especially if you may have jumped to this update from previous ones to this latest one, so I'll just point you to the bottom of my post from the Oct 2024 update where I discuss them more:

• What to consider, with regard to some previous CF updates (possible breaking changes)
• As with all CF updates, possible need to upgrade web server connector
• Something to consider, if you're updating CF2023 from its update 4, or earlier
• and more

The discussion of these points starts at this point in that Oct 2024 post.

I may eventually break these points out into their own post (so that I can more easily point out the issues in my posts about other CF updates). If I do, I will update this section to point to that.

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected]. Finally, to reach out to the wider CF community, note that I offer links to several of the online CF communities here.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed