Advisory

Adobe releases January 2026 patches for multiple products

Take action: If you're running Adobe ColdFusion, that is first priority. It has a critical vulnerability rated Priority 1. And ColdFusion is frequently exposed to the internet. For Creative Cloud users, review the January 2026 advisory and update Dreamweaver, InDesign, Illustrator, InCopy, Bridge, and Substance 3D applications.

Learn More

Adobe has released the January 2026 security updates patching vulnerabilities across multiple products. The updates address critical and important vulnerabilities primarily affecting Adobe ColdFusion and Creative Cloud applications including Dreamweaver, InDesign, Illustrator, InCopy, Bridge, and Substance 3D suite products that could lead to arbitrary code execution, memory exposure, and application denial-of-service.

Adobe ColdFusion

Critical vulnerability

  • CVE-2025-66516 (CVSS score 9.8) - Dependency vulnerability in Apache Tika that could lead to arbitrary code execution.

Affected Versions:

  • ColdFusion 2025 - Update 5 and earlier versions
  • ColdFusion 2023 - Update 17 and earlier versions

Updated Versions:

  • ColdFusion 2025 - Update 6
  • ColdFusion 2023 - Update 18

Adobe Dreamweaver

Critical vulnerabilities

  • CVE-2026-21267 (CVSS score 8.6) - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21268 (CVSS score 8.6) - Improper Input Validation vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21274 (CVSS score 7.8) - Incorrect Authorization vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21271 (CVSS score 8.6) - Improper Input Validation vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21272 (CVSS score 8.6) - Improper Input Validation vulnerability that could lead to arbitrary file system write.

Affected Versions:

  • Adobe Dreamweaver - 21.6 and earlier versions (Windows and macOS)

Updated Version:

  • Adobe Dreamweaver - 21.7 (Windows and macOS)

Adobe InDesign

Critical vulnerabilities

  • CVE-2026-21275 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21276 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21277 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21304 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Important vulnerability

  • CVE-2026-21278 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.

Affected Versions:

  • Adobe InDesign - ID21.0 and earlier versions (Windows and macOS)
  • Adobe InDesign - ID19.5.5 and earlier versions (Windows and macOS)

Updated Versions:

  • Adobe InDesign - ID21.1 (Windows and macOS)
  • Adobe InDesign - ID20.5.1 (Windows and macOS)

Adobe Illustrator

Critical vulnerability

  • CVE-2026-21280 (CVSS score 8.6) - Untrusted Search Path vulnerability that could lead to arbitrary code execution.

Important vulnerability

  • CVE-2026-21288 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.

Affected Versions:

  • Illustrator 2025 - 29.8.3 and earlier (Windows)
  • Illustrator 2026 - 30.0 and earlier (Windows)

Updated Versions:

  • Illustrator 2025 - 29.8.4 and above (Windows and macOS)
  • Illustrator 2026 - 30.1 and above (Windows and macOS)

Adobe InCopy

Critical vulnerability

  • CVE-2026-21281 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Affected Versions:

  • Adobe InCopy - 21.0 and earlier versions (Windows and macOS)
  • Adobe InCopy - 19.5.5 and earlier versions (Windows and macOS)

Updated Versions:

  • Adobe InCopy - 21.1 (Windows and macOS)
  • Adobe InCopy - 20.5.1 (Windows and macOS)

Adobe Bridge

Critical vulnerability

  • CVE-2026-21283 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Affected Versions:

  • Adobe Bridge - 15.1.2 (LTS) and earlier versions (Windows and macOS)
  • Adobe Bridge - 16.0 and earlier versions (Windows and macOS)

Updated Versions:

  • Adobe Bridge - 15.1.3 (LTS) (Windows and macOS)
  • Adobe Bridge - 16.0.1 (Windows and macOS)

Adobe Substance 3D Modeler

Critical vulnerabilities

  • CVE-2026-21298 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
  • CVE-2026-21299 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

  • CVE-2026-21300 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
  • CVE-2026-21301 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
  • CVE-2026-21302 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
  • CVE-2026-21303 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.

Affected Versions:

  • Adobe Substance 3D Modeler - 1.22.4 and earlier versions (All platforms)

Updated Version:

  • Adobe Substance 3D Modeler - 1.22.5 (All platforms)

Adobe Substance 3D Stager

Critical vulnerability

  • CVE-2026-21287 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.

Affected Versions:

  • Adobe Substance 3D Stager - 3.1.5 and earlier versions (Windows and macOS)

Updated Version:

  • Adobe Substance 3D Stager - 3.1.6 (Windows and macOS)

Adobe Substance 3D Painter

Critical vulnerability

  • CVE-2026-21305 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

  • Adobe Substance 3D Painter - 11.0.3 and earlier versions (All platforms)

Updated Version:

  • Adobe Substance 3D Painter - 11.1.2 (All platforms)

Adobe Substance 3D Sampler

Critical vulnerability

  • CVE-2026-21306 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

  • Adobe Substance 3D Sampler - 5.1.0 and earlier versions (All platforms)

Updated Version:

  • Adobe Substance 3D Sampler - 5.1.3 (All platforms)

Adobe Substance 3D Designer

Important vulnerabilities

  • CVE-2026-21308 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

  • Adobe Substance 3D Designer - 15.0.3 and earlier versions (All platforms)

Updated Version:

  • Adobe Substance 3D Designer - 15.1.0 (All platforms)

Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. Users are strongly encouraged to update their software to the latest versions.

Adobe releases January 2026 patches for multiple products
Read More
Google releases Chrome security update patching high-severity JavaScript …
Google releases emergency Chrome update to patch actively …
Adobe releases December 2024 patches for flaws in …
Reprompt: The One-Click Attack Stealing Microsoft Copilot Data
Active GithHub Phishing campaign impersonating GitHub Recruitment