Whatever message this page gives is out now! Go check it out!

ColdFusion (2023 release) Update 21

Last update:
Jun 30, 2026
ColdFusion (2023 release) Update 21 tech note

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guide.
Note:
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
View ColdFusion (2023 release) Updates for more information.

What's new and changed

ColdFusion (2023 release) Update 21 (release date: 30 June, 2026) resolves critical vulnerabilities that could lead to arbitrary code execution, privilege escalation, and security feature bypass.
View the security bulletin, APSB26-68, for more information.
New accept attribute
A new accept attribute is available on the following tags:
The documentation for cfpop and cfimap tags has also been aligned to reflect existing support for this attribute.
accept takes a comma-separated list of file extensions that controls which attachment types are downloaded. For example, accept=".pdf,.txt" saves only PDF and TXT attachments.
Filtering behaviorThe accept attribute and the blocked-extension list work together, but their interaction depends on how accept is specified:
  • Attribute omitted or empty : The blocked-extension list alone governs which attachments are saved. No additional filtering is applied.
  • Wildcard (accept="*") : All attachments are accepted regardless of their extension. The blocked-extension list is not consulted. This behaves the same as cffile upload with a wildcard, and allows extensions that would otherwise be blocked.
  • Explicit extension match : If accept names a file's extension directly (for example, accept=".cfm"), that is treated as an authoritative override. The attachment is saved even if the extension appears on the blocked list.
  • All other cases : The attachment must both match the accept filter and pass the blocked-extension check. A MIME-type match alone does not re-allow a blocked extension; the extension itself must not be blocked.
Allowing all attachments using a JVM argument
If you want to restore the previous behavior of accepting all attachment types without consulting the blocked-extension list, equivalent to using accept="*" globally, you can use the following JVM argument:
-Dcoldfusion.attachment.allowblockedextensions
View JVM arguments in ColdFusion (2023 release) for more information.
Saxon XML parser: New security flags for XMLSearch and XMLTransform
Four new JVM flags restrict Saxon parser capabilities used by XMLSearch and XMLTransform. All four default to false, meaning the corresponding Saxon features are disabled unless you explicitly re-enable them.
JVM Flags
JVM flagDefaultEffect when set to true
coldfusion.xml.saxon.allowResultDocumentfalseRe-enables xsl:result-document
coldfusion.xml.saxon.allowUnparsedTextfalseRe-enables the unparsed-text() function family
coldfusion.xml.saxon.allowDocFunctionfalseRe-enables doc(), doc-available(), and document()
coldfusion.xml.saxon.allowEnvironmentVariablefalseRe-enables environment-variable()
To re-enable a feature, add the corresponding flag to your JVM arguments and set it to true. For example:
-Dcoldfusion.xml.saxon.allowDocFunction=true
Caution: These features are disabled by default because they can expose server-side file paths, environment variables, or allow XSLT stylesheets to write arbitrary output files. Re-enable them only if your deployment explicitly requires the functionality and you have assessed the associated risk.

Prerequisites

  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

ColdFusion JDK flag requirements

COLDFUSION 2023 (version 2023.0.0.330468) and above

For Application Servers

On JEE installations, set the following JVM flag, " -Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.
For example:
  • Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
  • WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
  • WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated the the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

  1. Download the hotfix installer from the link.
  2. Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
     
  3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerRepositoryUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
  • Windows: <cf_root>\jre\bin\java.exe -jar <InstallerRepositoryUnzippedPath>\bundles\updateinstallers\hotfix-021-330920.jar
     
  • Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerRepositoryUnzippedPath>/bundles/updateinstallers/hotfix-021-330920.jar
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
 
Note:
If you are on Java 17.0.8 or higher and want to apply the Hotfix manually, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.

Post installation

Note:
After applying this update, the ColdFusion build number should be 2023,0,21,330920

Uninstallation

To uninstall the update, perform one of the following:
  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00021-330920/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00021-330920}/backup directory to {cf_install_home}/{instance_name}/
Note:
Uninstalling this update only removes the core update itself. Any ColdFusion packages that were updated as part of this release remain at their latest compatible versions. If you need to revert package versions, you must do so separately; uninstalling the core update does not roll back package versions automatically.
Q: If I uninstall ColdFusion 2023 Update 21, will all the packages installed with it be rolled back?
 A: No. Package rollback depends on the minimum core dependency of each package:
 
  • Packages with a minimum core dependency of update 21 (that is, they specifically require this core level) are rolled back when you uninstall this core update.
  • Packages with a minimum core dependency of update 20 or update 19 remain installed at their latest compatible versions and are not rolled back automatically when you uninstall the core update.

Connector configuration

2023 UpdateConnector recreation required
Update 21
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 20
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 19
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 18
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 17
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 16
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 15
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 14
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 13
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 12
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 11
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 10
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 9
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 8
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 7No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 6
No
However, upgrading from Update 4 and earlier requires you to recreate the connector.
View the following for more information on creating and configuring connectors:
Update 5Yes
Update 4No
Update 3No
Update 2No
Update 1No

Package updates

UpdatePackages updated
Update 21
Yes
  • administrator
  • ajax
  • exchange
  • feed
  • mail
  • websocket
Update 20
Yes
  • administrator
  • axis
  • ccs
  • exchange
  • mail
  • sharepoint
Update 19
Yes
  • adminapi
  • administrator
  • CCS
Update 18
Yes
  • image
  • htmltopdf
  • pdf
  • print
  • search
Update 17
Yes
  • administrator
  • ccs
  • document
  • htmltopdf
  • pdf
  • presentation
  • print
  • report
  • scheduler
  • search
  • spreadsheet
  • websocket
Update 16
Yes
  • feed
Update 15
Yes
The following packages are updated:
  • adminapi
  • administrator
  • axis
  • document
  • exchange
  • htmltopdf
  • image
  • pdf
  • presentation
  • print
  • report
  • saml
  • scheduler
  • search
  • sharepoint
  • spreadsheet
Update 14
Yes
The following packages are updated:
  • adminapi
  • administrator
  • document
  • htmltopdf
  • pdf
  • presentation
  • print
  • report
  • scheduler
Update 13
Yes
The following packages are updated:
  • htmltopdf
  • administrator
  • ajax
  • ccs
Update 12
Yes
The pmtagent package is updated.
Update 11Yes
Update 10No
Update 9No
Update 8Yes
Update 7Yes
Update 6No
Update 5Yes
Update 4No
Update 3No
Update 2No
Update 1No

Share this page

Was this page helpful?
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Thank you for your feedback. Your response will help improve this page.

On this page