What is the CVSS score of CVE-2026-48303?

CVE-2026-48303 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of Adobe Campaign Classic are affected by CVE-2026-48303?

Adobe Campaign Classic (versions 7.4.3 and earlier) used by enterprises for marketing automation can be fully compromised by any network attacker without requiring credentials or user interaction.

How to fix or mitigate CVE-2026-48303?

24 hours: Identify and inventory all Adobe Campaign Classic deployments; confirm running build versions and assess network exposure (direct Internet access vs. internal-only). 7 days: Implement network-level access controls restricting ACC traffic to authorized sources only; deploy intrusion detection/prevention signatures for CVE-2026-48303; apply any vendor-released workarounds or hardening guidance. 30 days: Subscribe to Adobe Security Bulletins for patch availability; develop and test upgrade path to a patched version; conduct comprehensive audit log review for indicators of unauthorized access or exploitation attempts.

Adobe Campaign Classic CVE-2026-48303

EUVD-2026-35838 CRITICAL

Incorrect Authorization (CWE-863)

2026-06-09 psirt@adobe.com

GHSA-gx58-v339-c87j

Authentication Bypass Adobe RCE Campaign

10.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 21:35 vuln.today

CVE Published

Jun 09, 2026 - 21:17 nvd

CRITICAL 10.0

DescriptionNVD

Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Articles & Coverage 2

News 19 New Adobe Vulnerabilities - 3 Critical, 16 High Severity Jun 10, 2026 News Critical RCE in Adobe Campaign Classic 7.4.3 - CVE-2026-48303 Jun 09, 2026

AnalysisAI

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed ACC 7.4.3 endpoint

Delivery

Send crafted request to authorization-gated handler

Exploit

Bypass CWE-863 authorization check

Execution

Trigger server-side code execution path

Persist

Execute arbitrary code as ACC user

Impact

Pivot to marketing data and adjacent systems

Access

Identify exposed ACC 7.4.3 endpoint

Delivery

Send crafted request to authorization-gated handler

Exploit

Bypass CWE-863 authorization check

Execution

Trigger server-side code execution path

Persist

Execute arbitrary code as ACC user

Impact

Pivot to marketing data and adjacent systems

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of Adobe Campaign Classic 7.4.3 build 9394 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	All available signals point to maximum severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on the internet identifies an exposed Adobe Campaign Classic 7.4.3 instance (commonly discoverable via the /nl/jsp/ or /r/ tracking endpoints), sends a single crafted request to a code-execution sink that is protected by the flawed authorization check, and bypasses the check to invoke server-side script execution. Because the scope is changed and the result is code execution in the current user context, the attacker pivots from the web tier to the campaign delivery infrastructure to exfiltrate marketing customer databases or stage further intrusion. …
Remediation	Apply the Adobe-released patch documented in security bulletin APSB26-66 (https://helpx.adobe.com/security/products/campaign/apsb26-66.html), which addresses ACC 7.4.3 build 9394 and earlier - administrators should upgrade to the fixed build identified in that advisory (exact post-patch build number not enumerated in the input data and should be read from Adobe's bulletin). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all Adobe Campaign Classic deployments; confirm running build versions and assess network exposure (direct Internet access vs. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48303 vulnerability details – vuln.today

Back

Adobe Campaign Classic CVE-2026-48303

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code