Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw.
The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents.
The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).
On Tuesday, Adobe released a ColdFusion security update to resolve CVE-2025-66516, noting that all ColdFusion 2025 Update 5 and earlier versions, and ColdFusion 2023 Update 17 and earlier versions are affected, on all platforms.
The vulnerability was addressed in ColdFusion 2025 Update 6 and ColdFusion 2023 Update 18. Adobe has slapped a priority rating of ‘1’ on the security bulletin, urging users to update as soon as possible.
Another Adobe product that received an update on January 2026 Patch Tuesday is Dreamweaver. The security refresh resolves five high-severity flaws, four leading to arbitrary code execution and one leading to arbitrary system file write.
High-severity security defects were resolved in Bridge, Illustrator, InCopy, InDesign, Substance 3D Modeler, Substance 3D Sampler, Substance 3D Stager, and Substance 3D Painter. For some products, the updates also fixed medium-severity bugs.
Adobe also released fixes for a medium-severity vulnerability in Substance 3D Designer, warning it could lead to memory leaks.
All the remaining advisories have a priority rating of ‘3’, as the issues were addressed in products that have not been historically targeted in attacks.
The company makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on Adobe’s security advisories page.
Microsoft on Tuesday patched 112 vulnerabilities, including a zero-day exploited in attacks.
Related: Microsoft Patches Exploited Windows Zero-Day, 111 Other Vulnerabilities
Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
Related: Adobe Patches Nearly 140 Vulnerabilities
Related: Cyber Insights 2026: External Attack Surface Management
