Skip to main content

Adobe Experience Manager CVE-2026-48252

| EUVDEUVD-2026-44379 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-14 adobe GHSA-jjf4-ppfx-v66m
8.6
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
8.6 HIGH

Missing authentication makes it network-reachable and unauthenticated (AV:N/PR:N/AC:L/UI:N); impact is unauthorized write (I:H) with no confidentiality or availability loss, and the cross-boundary function yields S:C.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:47 vuln.today
CVE Published
Jul 14, 2026 - 19:20 nvd
HIGH 8.6

DescriptionCVE.org

Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthenticated attacker reach a critical function directly, bypassing a security control to gain unauthorized write access. The CVSS 8.6 rating and scope-change flag indicate impact can extend beyond the initially vulnerable component, though only integrity is affected (no confidentiality or availability loss). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed AEM endpoint
Delivery
Send crafted unauthenticated HTTP request
Exploit
Reach critical function without auth
Execution
Perform unauthorized write across scope
Impact
Tamper with content or configuration

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the AEM endpoint that exposes the affected critical function; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) it is remote, low-complexity, unauthenticated, and needs no user interaction, so against an exposed default-affected AEM instance no special conditions apply. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately concerning but not maximal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-reachable AEM author or publish instance and sends a crafted HTTP request directly to the unauthenticated critical-function endpoint, without needing credentials or any user interaction. Because authentication is missing, the request executes a state-changing operation, giving the attacker unauthorized write access to content or configuration that crosses into another component's authorization scope. …
Remediation Apply the fix per Adobe advisory APSB26-74 (https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html); the provided data does not contain an exact patched build number, so treat this as 'Patch available per vendor advisory' and pull the precise version and service-pack/hotfix identifiers from that advisory for AEM 6.5 and 6.5 LTS. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, restrict network access to all vulnerable AEM instances to administrative users only and enable comprehensive audit logging for write operations to detect unauthorized changes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48359 CRITICAL
9.6 Jul 14

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6

CVE-2026-48259 CRITICAL
9.6 Jul 14

Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged

CVE-2026-48310 HIGH
8.6 Jul 14

Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenti

CVE-2026-48263 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48355 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48260 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48261 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48253 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48262 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48255 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48257 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48254 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

Share

CVE-2026-48252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy