Adobe Systems has released security hotfixes for a critical information disclosure vulnerability that exists in ColdFusion versions 10 and 11, across all platforms.

The flaw – officially designated CVE-2016-4264 – occurs during the parsing of crafted XML entities, according to an Adobe security bulletin. Adobe has classified the threat as "Priority 2," meaning the product has historically been at an elevated risk of attack, although an exploit is not likely imminent. 

To resolve the issue, Adobe has advised its customers to install Update 10 for ColdFusion 11 and Update 21 for ColdFusion 10, as well as to follow all recommended security configuration settings.

The ColdFusion 2016 release is not affected by the vulnerability, Adobe noted.