Adobe Patches Nearly 140 Vulnerabilities

The Experience Manager security update resolves 117 vulnerabilities, including 116 identified as cross-site scripting (XSS) bugs.

Adobe on Tuesday announced the rollout of patches for nearly 140 vulnerabilities across its products, including critical-severity bugs in ColdFusion and Experience Manager.

ColdFusion received fixes for 12 security defects, most of which could be exploited for arbitrary code execution.

The most severe of these are CVE-2025-61808, CVE-2025-61809, and CVE-2025-61830 (CVSS score of 9.1), described as unrestricted dangerous file upload, improper input validation, and deserialization of untrusted data, respectively.

Fixes for all 12 bugs were included in ColdFusion 2025 update 5, ColdFusion 2023 update 7, and ColdFusion 2021 update 23.

This month, Experience Manager (AEM) received fixes for 117 vulnerabilities, 116 of which are cross-site scripting (XSS) flaws, including two critical-severity bugs, tracked as CVE-2025-64537 and CVE-2025-64539 (CVSS score of 9.3).

The remaining 114 XSS issues are medium-severity bugs. The update also ...