ÃÛ¶¹ÊÓƵ

DocumentationAEM 6.5User Guide

ÃÛ¶¹ÊÓƵ Experience Manager Forms Hotfixes aem-form-hotfix

Last update: Tue Aug 05 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
  • Applies to:
  • Experience Manager 6.5

CREATED FOR:

  • User
  • Admin
  • Developer

This article lists the critical fixes implemented to address known issues, improve system stability, and enhance overall performance of AEM Forms.

NOTE
The hotfixes are designed to be cumulative, encompassing all preceding fixes. When you apply the latest hotfix to a release, it not only addresses the most recent issue but also incorporates all prior bug fixes and enhancements.

Hotfixes for AEM Forms hotfix-for-aem-forms

Date
Hotfix download link (AEM Software Distribution link)
Fixed issues
Aug 05, 2025
Applies to: AEM 6.5 Forms Service Pack 23
Setup instructions: Mitigating XXE, Configuration, and Remote Code Execution (CVE-2025-49533) Vulnerabilities for AEM Forms on JEE
  • Jboss:
  • Windows-
  • Linux-
  • Weblogic:
  • Windows-
  • Linux-
  • Websphere:
  • Windows-
  • Linux-

  • Enhanced security by addressing a Remote Code Execution (RCE) vulnerability in ÃÛ¶¹ÊÓƵ Experience Manager (AEM) Forms. The issue was related to Struts development mode in the admin user interface (UI), which allowed arbitrary Object-Graph Navigation Language (OGNL) evaluation through debug functionality. This fix ensures that Struts development mode is disabled and appropriate security filters are applied to prevent unauthorized access.

  • Improved protection against Extensible Markup Language (XML) External Entity (XXE) vulnerabilities in the Electronic Document Component (EDC) module of ÃÛ¶¹ÊÓƵ Experience Manager (AEM) Forms. The vulnerabilities were due to improper handling of XML documents without XXE protections, which could lead to local file reads. The fix includes:

    • Ensuring that the DocumentBuilderFactory used in the SecurityCheckHandler class is configured to prevent XXE attacks.
    • Updating the EDC web service to handle XML documents securely, preventing unauthorized access to local files.
Aug 05, 2025
Applies to: AEM 6.5 Forms Service Pack 18 – 22
Setup instructions: Manual Hotfix Installation for Service Packs 18–22

  • Enhanced security by addressing a Remote Code Execution (RCE) vulnerability in ÃÛ¶¹ÊÓƵ Experience Manager (AEM) Forms. The issue was related to Struts development mode in the admin user interface (UI), which allowed arbitrary Object-Graph Navigation Language (OGNL) evaluation through debug functionality. This fix ensures that Struts development mode is disabled and appropriate security filters are applied to prevent unauthorized access.

  • Improved protection against Extensible Markup Language (XML) External Entity (XXE) vulnerabilities in the Document Security module of ÃÛ¶¹ÊÓƵ Experience Manager (AEM) Forms. The vulnerabilities were due to improper handling of XML documents without XXE protections, which could lead to local file reads. The fix includes:

    • Ensuring that the DocumentBuilderFactory used in the SecurityCheckHandler class is configured to prevent XXE attacks.
    • Updating the Document Security web service to handle XML documents securely, preventing unauthorized access to local files.
Jul 10, 2025-
  • Jboss:
  • Windows-
  • Linux-
  • Weblogic:
  • Windows-
  • Linux-
  • Websphere:
  • Windows:
  • Linux:

  • This hotfix fixes the following:

    • FORMS-20533: AEM Forms now includes an upgrade of Struts version from 2.5.33 to 6.x for the forms component. This delivers previously missed Struts changes that were not included in SP23. The support was added via a Hotfix that you can download and install to add support for the latest version of Struts.
    • FORMS-20532: AEM Forms now includes an upgrade of Struts version from 2.5.33 to 6.x for the output component. This delivers previously missed Struts changes that were not included in SP23. The support was added via a Hotfix that you can download and install to add support for the latest version of Struts.
    • FORMS-20203: When a user upgrades Struts from AEM Service Pack 2.5.x to AEM Forms Service Pack 6.x, the Policies UI fails to display all configurations, such as the option to add a watermark. You can download and install the Hotfix to resolve this issue.
    • FORMS-20360: After upgrading to AEM Forms Service Pack 6.5.23.0, the ImageToPDF conversion service fails with the error:
      17:15:44,468 ERROR [com.adobe.pdfg.GeneratePDFImpl] (default task-49) ALC-PDG-001-000-ALC-PDG-011-028-Error occurred while converting the input image file to PDF. com/adobe/internal/pdftoolkit/core/encryption/EncryptionImp
      You can download and install the Hotfix to resolve this issue.
March 26, 2025

To install this fix, follow the instructions Mitigating Spring Framework Vulnerabilities for AEM Forms on JEE.
  • Mitigating Spring Framework Vulnerabilities for AEM Forms on JEE
July 10, 2024
  • When a user updates to AEM Forms Service Pack 20 (6.5.20.0) on JEE server and generates PDFs using output services, the PDFs render with accessibility issues. (LC-3922112)
  • Tagged PDFs generated using output service on AEM Forms JEE show "Inappropriate structure warning". (LC-3922038)
  • When a form is submitted on AEM Forms JEE, the instances of a repeating XML element are removed from the data. (LC-3922017)
  • When a user on a Linux environment renders an adaptive form (on JEE) in HTML, it fails to render properly. (LC-3921957)
  • When a user converts an XTG file to PostScript format using the Output Service on AEM Forms JEE, it fails with the error: AEM_OUT_001_003: Unexpected Exception: PAExecute Failure: XFA_RENDER_FAILURE. (LC-3921720)
  • After upgrading to AEM Forms Service Pack 18 (6.5.18.0) on JEE server, when a user submits a form, it fails to render HTML5 or PDF Forms and XMLFM crashes. (LC-3921718)
June 21, 2024
  • After upgrading to AEM Forms Service Pack 6.5.21.0 or AEM Forms Service Pack 6.5.22.0, the PaperCapture service fails to perform OCR (Optical Character Recognition) operations on PDFs. For installation instructions, refer to the troubleshooting article.(CQDOC-21680)
June 21, 2024
May 16, 2024
  • In an Adaptive Form based on an XDP with embedded scripts on checkboxes, the scripts are not executed for elements after such checkboxes. A hotfix is available for this issue. (FORMS-14244)
  • Rows in the date picker widget are truncated when traversing through months in the pop-up widget for fields with Edit/Display pattern. A hotfix is available for this issue. (FORMS-13620)
  • Form submissions are failing when trying to use the DOR (Document of Record) service in the backend. The error message encountered is: "Submit Action couldn't complete because Form Resource isn't correctly assigned." (FORMS-13798)
  • When an Adaptive Form is submitted from an ÃÛ¶¹ÊÓƵ Experience Manager Publish instance to an ÃÛ¶¹ÊÓƵ Experience Manager Workflow, the workflow fails to save the attachments. (FORMS-14209)
  • On installing AEM 6.5 Forms Service Pack 20 package (AEM Forms add-on package for SP20),the AEM Sites user interface (UI) exhibits significant performance degradation. (FORMS-13791)
  • The prefill service fails with a null pointer exception in Interactive Communications. (CQDOC-21355)
  • Configurations using the legacy cloud service for ÃÛ¶¹ÊÓƵ Analytics with user credential-based authentication, fail to function correctly, causing the failure of analytics rules to execute. (FORMS-15428)
January 29, 2024
  • On AEM Forms on the JEE server, the HTML5 Forms that make use of the context path fail to render. (FORMS-12485, FORMS-12691).
January 29, 2024
  • The out-of-the-box Scribble Signature component fails to render for a preview in an adaptive form. (FORMS-12073).
November 20, 2023
  • Inline signing stops working, when a redirect URL is set in the guide container of an Adaptive Form. (FORMS-10493)
  • Document of Record (DoR) templates fail to publish for localized Adaptive Forms. (FORMS-10535)
  • Interactive Communication with large inline images fails to open in edit mode. (FORMS-10578)

Download and install an OSGi Hotfix download-install-hotfix

Perform the following steps to download and install the Hotfix:

  1. Download Hotfix from the Software Distribution link.
  2. Extract the Hotfix archive file so you can obtain an Experience Manager package (.zip) and bundle (.jar) files.
  3. Upload and install the package (.zip) via the Package Manager.
  4. Open the configuration manager bundles https://server:host/system/console/bundles, upload, and install the bundle (.jar). The hotfix is installed.

Install an JEE patch download-install-jee-patch

For instructions to install a JEE patch, see the AEM Forms JEE Patch Installer documentation.

Download and install hotfix for draft letter issue install-hotfix

To resolve the issue, perform the following steps:

  1. Download the hotfix from the Software Distribution portal.
  2. Upload and install the package (.zip) using the CRX Package Manager.
recommendation-more-help
19ffd973-7af2-44d0-84b5-d547b0dffee2