Adobe Experience Manager Forms Hotfixes aem-form-hotfix

Last update: Tue Aug 05 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Applies to:
Experience Manager 6.5

Topics:
Release Information

CREATED FOR:

User
Admin
Developer

This article lists the critical fixes implemented to address known issues, improve system stability, and enhance overall performance of AEM Forms.

NOTE

The hotfixes are designed to be cumulative, encompassing all preceding fixes. When you apply the latest hotfix to a release, it not only addresses the most recent issue but also incorporates all prior bug fixes and enhancements.

Hotfixes for AEM Forms hotfix-for-aem-forms

Date

Hotfix download link (AEM Software Distribution link)

Fixed issues

Aug 05, 2025
Applies to: AEM 6.5 Forms Service Pack 23
Setup instructions: Mitigating XXE, Configuration, and Remote Code Execution (CVE-2025-49533) Vulnerabilities for AEM Forms on JEE

Jboss:
Windows- Hotfix2 for AEM Service Pack 6.5.23.0 on Windows for JBoss JEE server
Linux- Hotfix2 for AEM Service Pack 6.5.23.0 on Linux for JBoss JEE server
Weblogic:
Windows- Hotfix2 for AEM Service Pack 6.5.23.0 on Windows for Weblogic JEE server
Linux- Hotfix2 for AEM Service Pack 6.5.23.0 on Linux for Weblogic JEE server
Websphere:
Windows- Hotfix2 for AEM Service Pack 6.5.23.0 on Windows for Websphere JEE server
Linux- Hotfix2 for AEM Service Pack 6.5.23.0 on Linux for Websphere JEE server

Enhanced security by addressing a Remote Code Execution (RCE) vulnerability in Adobe Experience Manager (AEM) Forms. The issue was related to Struts development mode in the admin user interface (UI), which allowed arbitrary Object-Graph Navigation Language (OGNL) evaluation through debug functionality. This fix ensures that Struts development mode is disabled and appropriate security filters are applied to prevent unauthorized access.
Improved protection against Extensible Markup Language (XML) External Entity (XXE) vulnerabilities in the Electronic Document Component (EDC) module of Adobe Experience Manager (AEM) Forms. The vulnerabilities were due to improper handling of XML documents without XXE protections, which could lead to local file reads. The fix includes:
- Ensuring that the DocumentBuilderFactory used in the SecurityCheckHandler class is configured to prevent XXE attacks.
- Updating the EDC web service to handle XML documents securely, preventing unauthorized access to local files.

Aug 05, 2025
Applies to: AEM 6.5 Forms Service Pack 18 – 22
Setup instructions: Manual Hotfix Installation for Service Packs 18–22

Patch for AEM 6.5 Forms Service Pack 18 - AEM 6.5 Forms Service Pack 22

Enhanced security by addressing a Remote Code Execution (RCE) vulnerability in Adobe Experience Manager (AEM) Forms. The issue was related to Struts development mode in the admin user interface (UI), which allowed arbitrary Object-Graph Navigation Language (OGNL) evaluation through debug functionality. This fix ensures that Struts development mode is disabled and appropriate security filters are applied to prevent unauthorized access.
Improved protection against Extensible Markup Language (XML) External Entity (XXE) vulnerabilities in the Document Security module of Adobe Experience Manager (AEM) Forms. The vulnerabilities were due to improper handling of XML documents without XXE protections, which could lead to local file reads. The fix includes:
- Ensuring that the DocumentBuilderFactory used in the SecurityCheckHandler class is configured to prevent XXE attacks.
- Updating the Document Security web service to handle XML documents securely, preventing unauthorized access to local files.

Jul 10, 2025-

Jboss:
Windows- Hotfix for AEM Service Pack 6.5.23.0 on Windows for JBoss JEE server
Linux- Hotfix for AEM Service Pack 6.5.23.0 on Linux for JBoss JEE server
Weblogic:
Windows- Hotfix for AEM Service Pack 6.5.23.0 on Windows for Weblogic JEE server
Linux- Hotfix for AEM Service Pack 6.5.23.0 on Linux for Weblogic JEE server
Websphere:
Windows: Hotfix for AEM Service Pack 6.5.23.0 on Windows for Websphere JEE server
Linux: Hotfix for AEM Service Pack 6.5.23.0 on Linux for Websphere JEE server

This hotfix fixes the following:
- FORMS-20533: AEM Forms now includes an upgrade of Struts version from 2.5.33 to 6.x for the forms component. This delivers previously missed Struts changes that were not included in SP23. The support was added via a Hotfix that you can download and install to add support for the latest version of Struts.
- FORMS-20532: AEM Forms now includes an upgrade of Struts version from 2.5.33 to 6.x for the output component. This delivers previously missed Struts changes that were not included in SP23. The support was added via a Hotfix that you can download and install to add support for the latest version of Struts.
- FORMS-20203: When a user upgrades Struts from AEM Service Pack 2.5.x to AEM Forms Service Pack 6.x, the Policies UI fails to display all configurations, such as the option to add a watermark. You can download and install the Hotfix to resolve this issue.
- FORMS-20360: After upgrading to AEM Forms Service Pack 6.5.23.0, the ImageToPDF conversion service fails with the error:
  17:15:44,468 ERROR [com.adobe.pdfg.GeneratePDFImpl] (default task-49) ALC-PDG-001-000-ALC-PDG-011-028-Error occurred while converting the input image file to PDF. com/adobe/internal/pdftoolkit/core/encryption/EncryptionImp
  You can download and install the Hotfix to resolve this issue.

March 26, 2025

To install this fix, follow the instructions Mitigating Spring Framework Vulnerabilities for AEM Forms on JEE.

Mitigating Spring Framework Vulnerabilities for AEM Forms on JEE

July 10, 2024

When a user updates to AEM Forms Service Pack 20 (6.5.20.0) on JEE server and generates PDFs using output services, the PDFs render with accessibility issues. (LC-3922112)
Tagged PDFs generated using output service on AEM Forms JEE show "Inappropriate structure warning". (LC-3922038)
When a form is submitted on AEM Forms JEE, the instances of a repeating XML element are removed from the data. (LC-3922017)
When a user on a Linux environment renders an adaptive form (on JEE) in HTML, it fails to render properly. (LC-3921957)
When a user converts an XTG file to PostScript format using the Output Service on AEM Forms JEE, it fails with the error: AEM_OUT_001_003: Unexpected Exception: PAExecute Failure: XFA_RENDER_FAILURE. (LC-3921720)
After upgrading to AEM Forms Service Pack 18 (6.5.18.0) on JEE server, when a user submits a form, it fails to render HTML5 or PDF Forms and XMLFM crashes. (LC-3921718)

June 21, 2024

After upgrading to AEM Forms Service Pack 6.5.21.0 or AEM Forms Service Pack 6.5.22.0, the PaperCapture service fails to perform OCR (Optical Character Recognition) operations on PDFs. For installation instructions, refer to the troubleshooting article.(CQDOC-21680)

June 21, 2024

Hotfix for AEM Service Pack 6.5.21.0

Draft letters with XML data are getting stuck in the loading state during preview. For downloading and installation instructions of the hotfix, refer to the Download and install hotfix for draft letter issue section.(FORMS-14521)

May 16, 2024

In an Adaptive Form based on an XDP with embedded scripts on checkboxes, the scripts are not executed for elements after such checkboxes. A hotfix is available for this issue. (FORMS-14244)
Rows in the date picker widget are truncated when traversing through months in the pop-up widget for fields with Edit/Display pattern. A hotfix is available for this issue. (FORMS-13620)
Form submissions are failing when trying to use the DOR (Document of Record) service in the backend. The error message encountered is: "Submit Action couldn't complete because Form Resource isn't correctly assigned." (FORMS-13798)
When an Adaptive Form is submitted from an Adobe Experience Manager Publish instance to an Adobe Experience Manager Workflow, the workflow fails to save the attachments. (FORMS-14209)
On installing AEM 6.5 Forms Service Pack 20 package (AEM Forms add-on package for SP20),the AEM Sites user interface (UI) exhibits significant performance degradation. (FORMS-13791)
The prefill service fails with a null pointer exception in Interactive Communications. (CQDOC-21355)
Configurations using the legacy cloud service for Adobe Analytics with user credential-based authentication, fail to function correctly, causing the failure of analytics rules to execute. (FORMS-15428)

January 29, 2024

Hotfix for AEM Service Pack 6.5.19.0 for Windows on JEE server

On AEM Forms on the JEE server, the HTML5 Forms that make use of the context path fail to render. (FORMS-12485, FORMS-12691).

January 29, 2024

The out-of-the-box Scribble Signature component fails to render for a preview in an adaptive form. (FORMS-12073).

November 20, 2023

Inline signing stops working, when a redirect URL is set in the guide container of an Adaptive Form. (FORMS-10493)
Document of Record (DoR) templates fail to publish for localized Adaptive Forms. (FORMS-10535)
Interactive Communication with large inline images fails to open in edit mode. (FORMS-10578)

Download and install an OSGi Hotfix download-install-hotfix

Perform the following steps to download and install the Hotfix:

Download Hotfix from the Software Distribution link.
Extract the Hotfix archive file so you can obtain an Experience Manager package (.zip) and bundle (.jar) files.
Upload and install the package (.zip) via the Package Manager.
Open the configuration manager bundles https://server:host/system/console/bundles, upload, and install the bundle (.jar). The hotfix is installed.

Install an JEE patch download-install-jee-patch

For instructions to install a JEE patch, see the AEM Forms JEE Patch Installer documentation.

Adobe Experience Manager Forms Hotfixes aem-form-hotfix

Hotfixes for AEM Forms hotfix-for-aem-forms

Download and install an OSGi Hotfix download-install-hotfix

Install an JEE patch download-install-jee-patch

Download and install hotfix for draft letter issue install-hotfix