In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

The update also includes a still-more recent update to the version of Tomcat embedded within each CF version than previous CF updates. To be clear, there are no other changes, bug fixes, or known issues indicated for this update.

FWIW, some may know that Adobe released an update just last month--which was ONLY for CF2025, as I discussed in a post that day, May 20. That DID include many new features and changes (including changed behaviors), so note that if you are on CF2025 and are skipping from update 7 or earlier, look to that post for more before proceeding.

And like with each CF update, I share the details about the update (from Adobe and from others) as well as additional info you may want to consider before (or after) doing the update.

For more, read on.

(And FWIW I'll note that having installed the update for each of the releases on multiple machines, I can report that it went well.)

Following are the topics discussed in this post:

• Finding the update (and more about it)
• What are the security issues addressed in the update?
• Packages updated in this update
• Additional info to consider before/after doing CF updates
• On getting help with the update(s)

I appreciate that some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out earlier today (the day of the update's release). Beside testing om multiple machines, I also take time to consider feedback shared in the community, or things I learn as I offered help to them and my own clients. (So far, again, I'm not aware of any issues. That said, sometimes issues arise due to caching--with respect to "seeing" or downloading the update. Only time will tell, but such problems inevitably do pass.)

Finding the update (and more about it)

You should find news of the new update in your CF Admin upon login (assuming "check for updates" is enabled in its Package Manager "Settings" tab, or if you click the "check for updates" button under the "Core Server" section of the Package Manager page). If you don't, even today, give it time as there may be caching issue.

Otherwise, Adobe has announced the update via their CF Portal, specifically these:

• Adobe Portal/blog announcement of the update

(Curiously, there is still no post for the update in the CF Community Forums, where often there tends to be more "discussion" from community members.)

And each such announcement points to the very important update technote available for each version:

• ColdFusion (2025 release) Update 9
• ColdFusion (2023 release) Update 19

BTW, note that the URL for these technotes has changed: I find currently that trying to use the URL of the previous updates (such as for CF2023 update 19) and incrementing the number by one results in a 404 error. They are now under the "guides" section of the Adobe site, rather than the "helpx" section. I don't know if this is a permanent change or just a temporary one, but it's worth noting in case you have bookmarked the previous technotes.

What are the security issues addressed in the update?

As I indicated at the outset, this update is focused solely on security. Quoting from the update technotes, the update "includes important security fixes that mitigate vulnerabilities related to arbitrary code execution, arbitrary file write, information disclosure, stored cross-site scripting, and security feature bypass".

Again the update ALSO includes an update to the Tomcat versions included in each of CF2025 (to Tomcat 10.1.55) and CF2023 (to Tomcat 9.0.118).

As for the CF aspects of the security vulnerabilities, see the Adobe Product Security Bulletin (or APSB) for this update, which indicates how it's indeed a Priority 1 "Critical" update, with the various CVEs listed in the bulletin range from having a CVSS score from 4.8 to 9.6 out of 10. The bulletin clarifies the specific NIST CVEs addressed.

You can read the bulletin for the boilerplate identification of the issues, and the CVE documents. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.

Packages updated in this update

As is the case with many of the CF updates, this one does include updates to a few of its packages. See the table at the bottom of each technote indicating what packages were updated (which differs slightly between the two versions).

(As I noted at the outset, this update incudes no other changed, bug fixes, or known issues, as documented in the update technotes at the time of this writing.)

Additional info to consider before/after doing CF updates

Finally, just as with ANY CF update, there are a few issues you should keep in mind. Some have to do with things you should consider BEFORE doing any CF update, while others relate to considerations AFTER the update is applied.

I used to cover them within each of these posts, but I have tried to avoid repeating them. I'll say again that I plan to create a new post pulling the points out to stand alone (as like a best practices for CF updates). But until then, look first at the closing sections of my Apr 2026 update post:

• Things to beware BEFORE doing any CF update
  • Changes, as a result of any CF updates you may be skipping
  • Beware also that if you'd modified the pathfilter.json file introduced in the May 2025 CF update, sadly that file will be overwritten
• How can you assess if the update went well?
  • 1) Check the update log, both for success applying the update
  • 2) Check that same update log, for success in the update downloading any updated package
  • 3) Check the coldfusion-out.log for success during UPDATING of any packages
• A few other topics generic to recent CF updates, which you may want to consider
  • You should strongly consider "clearing the felix-cache"
  • Other update topics to consider

And then there were still other generic update topics which I'd covered in still previous posts, the last one in my post on the Oct 2024 updates. After that I started having my subsequent posts point people instead to the bottom of that post for these equally important topics:

• What to consider, with regard to some previous CF updates (possible breaking changes)
• As with all CF updates, possible need to upgrade web server connector
• Something to consider, if you're updating CF2023 from its update 4, or earlier
• and more

On getting help with the update(s)

Finally, as for getting more help with the update, you have a few options.

First, you can reach out to Adobe via the post(s) announcing the update which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected].

Next, you can also reach out to the wider CF community for help or to hear from others. Note that I offer links to several of the online CF communities here.

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed