Skip to main content

Adobe Experience Manager EUVDEUVD-2026-44387

| CVE-2026-48259 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-14 adobe GHSA-mqxm-pgxg-3pr2
9.6
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
9.6 CRITICAL

Network-reachable SSRF needing a low-privileged authenticated foothold (PR:L), no user interaction, scope changed to internal targets with high confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:46 vuln.today
CVE Published
Jul 14, 2026 - 19:21 nvd
CRITICAL 9.6

DescriptionCVE.org

Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged AEM account
Delivery
Submit request with attacker-controlled URL
Exploit
Server issues unauthorized internal request (SSRF)
Execution
Reach internal endpoint / escalate
Persist
Execute code in current user context
Impact
Hijack victim account or session

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess a low-privileged authenticated session on the AEM instance (CVSS PR:L), and the attacker must be able to reach an AEM function that builds a server-side request from attacker-influenced input (the SSRF sink). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuine high priority but not an emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a low-privileged AEM account (or has phished/obtained such credentials) submits a crafted request whose URL parameter is controlled, causing the AEM server to make an unauthorized server-side request to an internal endpoint. By targeting internal services reachable only from the AEM host, the attacker escalates the SSRF into code execution in the current user's context and takes over the victim's account or session - no user interaction is required. …
Remediation Patch available per vendor advisory: apply the fixes described in Adobe Security Bulletin APSB26-74 (https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html); the exact fixed build/service-pack number was not in the provided data, so confirm the target version directly from that bulletin - AEM as a Cloud Service customers should ensure they are on the current release, and 6.5 / 6.5 LTS operators should apply the corresponding service pack or cumulative fix pack. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Adobe Experience Manager deployments (AEM as a Cloud Service, 6.5 LTS, and 6.5) and assess which instances allow authenticated user access or have internet exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48359 CRITICAL
9.6 Jul 14

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6

CVE-2026-48310 HIGH
8.6 Jul 14

Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenti

CVE-2026-48252 HIGH
8.6 Jul 14

Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthentica

CVE-2026-48263 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48355 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48260 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48261 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48253 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48262 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48255 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48257 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48254 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

Share

EUVD-2026-44387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy