Skip to main content

Adobe Experience Manager CVE-2026-48359

| EUVDEUVD-2026-44386 CRITICAL
Improper Restriction of XML External Entity Reference (CWE-611)
2026-07-14 adobe GHSA-5p7j-5g9r-9wjx
9.6
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.5 HIGH

Network XXE needing a low-privilege account (PR:L) and no interaction; primary impact is sensitive file read (C:H) with scope change to internal systems (S:C) and only limited integrity effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:46 vuln.today
CVE Published
Jul 14, 2026 - 19:21 nvd
CRITICAL 9.6

DescriptionCVE.org

Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege AEM account
Delivery
Submit crafted XML with external entity
Exploit
Parser resolves external entity reference
Execution
Read sensitive local files/credentials
Impact
Escalate privileges or hijack session

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to reach an AEM endpoint that parses attacker-supplied XML and to hold at least a low-privileged authenticated account (CVSS PR:L) - it is not anonymous/unauthenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privileged AEM account (for example a limited author or a self-registered/leaked credential) submits a crafted XML document - such as a content package, form, or web service request - containing a malicious external entity to a vulnerable parsing endpoint. The server resolves the entity, returning the contents of sensitive local files (credentials, keystores, configuration) to the attacker, who then leverages that data to escalate privileges or hijack the victim's session. …
Remediation Apply the fixes described in Adobe Security Bulletin APSB26-74 (https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html) - Patch available per vendor advisory; the exact fixed build for AEM 6.5 / 6.5 LTS should be pulled from that bulletin as the input did not include a specific version string, and AEM as a Cloud Service updates are delivered by Adobe on the managed release train, so ensure your cloud environment is on the current release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all AEM deployments by version and access tier; restrict network access to AEM consoles to defined IP ranges and multi-factor authentication; implement enhanced logging on XML file operations and authentication events. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48259 CRITICAL
9.6 Jul 14

Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged

CVE-2026-48310 HIGH
8.6 Jul 14

Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenti

CVE-2026-48252 HIGH
8.6 Jul 14

Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthentica

CVE-2026-48263 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48355 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48260 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48261 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48253 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48262 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48255 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48257 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48254 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

Share

CVE-2026-48359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy