18
Open CVEs
0
Exploited
0
KEV
17
Unpatched
17
No Workaround
11
Internet-facing
Why this provider is risky now
This provider has 18 open CVE(s) in the last 30 days. 17 have no vendor patch. 11 affect internet-facing services. 4 impact the management/identity plane.
17 Unpatched
4 Mgmt / Admin Plane
17 No Workaround
11 Internet-facing
Top Risky CVEs
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current u
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-502: Deserialization of Untrusted Data)
- • Third-party ICT: Adobe
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
9.6
CVSS
1.5%
EPSS
50
Priority
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An a
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass, rce
- • Third-party ICT: Adobe
- • No patch available
- • Management plane (Incorrect Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
- • Authentication / access control weakness
9.3
CVSS
0.5%
EPSS
47
Priority
CVE-2026-42155
Act Now
Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.
Within 24 hours: Inventory all OpenMage LTS deployments and versions; isolate or restrict API access if patch testing cannot begin immediately. Within 7 days: Apply vendor-released patch to all instances running OpenMage LTS ≤ 20.17.0; verify upgrade to patched version. Within 30 days: Conduct forensic review of API access logs from past 90 days for indicators of session hijacking; reset API credentials for all integrations as precaution.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Adobe
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Adobe (ERP & Business Platforms)
9.3
CVSS
0.0%
EPSS
47
Priority
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • Third-party ICT: Adobe
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
8.7
CVSS
0.1%
EPSS
44
Priority
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-pri
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-79: Cross-site Scripting (XSS))
- • Third-party ICT: Adobe
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
8.7
CVSS
0.0%
EPSS
44
Priority
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature by
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Adobe
- • No patch available
- • Management plane (Incorrect Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
- • Authentication / access control weakness
7.5
CVSS
0.1%
EPSS
38
Priority
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature by
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Adobe
- • No patch available
- • Management plane (Incorrect Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
- • Authentication / access control weakness
7.5
CVSS
0.1%
EPSS
38
Priority
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Adobe
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
7.5
CVSS
0.1%
EPSS
38
Priority
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application d
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Adobe
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
7.5
CVSS
0.0%
EPSS
38
Priority
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application d
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Adobe
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Adobe (ERP & Business Platforms)
- • No remediation available
7.5
CVSS
0.0%
EPSS
38
Priority
By Exposure
Internet-facing
11
Mgmt / Admin Plane
4
Identity / Auth
4
Internal only
7
By Exploitability
Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
13
Local only
0
By Remediation
Patch available
1
No patch
17
Workaround available
0
No workaround
17
Affected Services / Product Families
Adobe
18 CVE(s)
+ 8 more