Skip to main content

Adobe Experience Manager EUVDEUVD-2026-44388

| CVE-2026-48310 HIGH
Path Traversal (CWE-22)
2026-07-14 adobe GHSA-qq67-g2p8-3v54
8.6
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
8.6 HIGH

Remote unauthenticated file read needing no interaction (AV:N/AC:L/PR:N/UI:N); reads escape the component's scope (S:C) disclosing sensitive files (C:H) with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:46 vuln.today
CVE Published
Jul 14, 2026 - 19:21 nvd
HIGH 8.6

DescriptionCVE.org

Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenticated attackers traverse outside the intended directory scope to retrieve sensitive files, per Adobe advisory APSB26-74. The CVSS 3.1 score of 8.6 is elevated by a changed scope (S:C), meaning the read reaches resources beyond the vulnerable component's security authority. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed AEM endpoint
Delivery
Send request with '../' traversal path
Exploit
Bypass directory scope restriction
Execution
Server resolves path outside web root
Impact
Read sensitive files and exfiltrate

Vulnerability AssessmentAI

Exploitation No special conditions beyond network reachability - remote unauthenticated exploitation (PR:N/UI:N/AC:L) against an exposed Adobe Experience Manager HTTP endpoint, requiring a crafted request path that supplies traversal input to reach files outside the intended directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes a network-reachable, low-complexity, unauthenticated attack with no user interaction, which is a genuinely dangerous profile, and the changed scope plus high confidentiality impact (S:C/C:H) justify the 8.6 rating for an information-disclosure-only issue (I:N/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to an internet-facing AEM instance in which a path parameter embeds directory-traversal sequences, causing the server to resolve and return a file outside the intended content directory. The attacker retrieves sensitive artifacts such as configuration files, credentials, or private content, then uses that data to deepen the compromise. …
Remediation Patch available per vendor advisory (Adobe APSB26-74): apply the fixed Service Pack/hotfix for your AEM channel - the managed AEM as a Cloud Service should receive the fix through Adobe's release pipeline, while AEM 6.5 and 6.5 LTS require installing the corresponding Adobe-published Service Pack; the exact fixed version is not stated in the available data, so confirm it against https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, enumerate all AEM instances and confirm affected versions (6.5 LTS, 6.5, Cloud Service), review access logs for exploitation indicators, and implement Web Application Firewall rules to block directory traversal patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48359 CRITICAL
9.6 Jul 14

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6

CVE-2026-48259 CRITICAL
9.6 Jul 14

Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged

CVE-2026-48252 HIGH
8.6 Jul 14

Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthentica

CVE-2026-48263 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48355 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-

CVE-2026-48260 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48261 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48253 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48262 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48255 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48257 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

CVE-2026-48254 MEDIUM
5.4 Jul 14

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit

Share

EUVD-2026-44388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy