Skip to main content

Adobe Campaign Classic EUVD-2026-35839

| CVE-2026-47938 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-09 psirt@adobe.com GHSA-6m7j-3j3g-22g4
Adobe SSRF RCE
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 21:33 vuln.today
CVE Published
Jun 09, 2026 - 21:17 nvd
CRITICAL 10.0

DescriptionCVE.org

Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Articles & Coverage 2

News 19 New Adobe Vulnerabilities - 3 Critical, 16 High Severity Jun 10, 2026 News Critical SSRF to RCE in Adobe Campaign Classic 7.4.3 - CVE-2026-47938 Jun 09, 2026

AnalysisAI

Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed ACC 7.4.3 instance
Delivery
Send crafted request with attacker-controlled URL
Exploit
Server issues SSRF to internal target
Execution
Pivot to backend service or metadata endpoint
Persist
Trigger arbitrary code execution as ACC user
Impact
Access campaign data and pivot internally
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker needs network reachability to the Adobe Campaign Classic web/application tier of a vulnerable instance (7.4.3 build 9394 or earlier) and the ability to submit a request to whichever ACC feature accepts the attacker-controlled URL - the advisory does not name the specific endpoint, so any externally exposed ACC HTTP surface should be considered a candidate. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a top-priority issue: CVSS 3.1 base score is the maximum 10.0 with AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, meaning a remote, unauthenticated attacker with no user interaction can fully compromise confidentiality, integrity, and availability while crossing a security boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches an internet-exposed Adobe Campaign Classic 7.4.3 (build ≤9394) endpoint and submits a crafted request that causes the ACC server to issue an attacker-chosen HTTP request; by directing that request at an internal service (cloud metadata, an internal admin API, or a deserialization-prone backend), the attacker chains the SSRF into arbitrary code execution running as the ACC service account. Because UI:N and PR:N apply, no phishing or credentials are required, and the scope change means the executed code lands outside the originally vulnerable component - likely on a backend that the ACC server is trusted to call. …
Remediation Patch available per vendor advisory: upgrade Adobe Campaign Classic to the fixed build published in APSB26-66 (https://helpx.adobe.com/security/products/campaign/apsb26-66.html) - the advisory page is the authoritative source for the exact post-9394 patched build number, which was not included in the input data and should not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Adobe Campaign Classic instances and immediately restrict network access to trusted corporate networks using firewall rules; enable application logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48303 CRITICAL
10.0 Jun 09

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated networ
CVE-2026-53787 CRITICAL
9.3 Jun 12

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop a
CVE-2026-47937 HIGH
8.2 Jun 09

Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs via an uncontrol
CVE-2026-47912 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651, and earlier versions occurs through a use-a
CVE-2026-47913 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier stems from a Use After

Share

EUVD-2026-35839 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy