Adobe
Monthly
Stored XSS in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform's content authoring interface. When a victim - typically an administrator or higher-privileged user - browses the page containing the injected field, the script executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; however, the changed scope (S:C) in the CVSS vector elevates the effective impact beyond the originating component, making this a meaningful risk in environments with untrusted low-privilege authors.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables low-privileged authenticated attackers to inject persistent malicious JavaScript into vulnerable form fields, which then executes in the browsers of users who visit the affected pages. The CVSS Scope:Changed designation means injected scripts can breach the security context of the AEM application itself, potentially affecting other browser-accessible resources. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in other users' browsers upon page load. Affected versions span the 6.5.x branch through 6.5.24, the LTS SP1 track, and cloud-native releases through 2026.04. No public exploit code or active exploitation has been identified at time of analysis; however, the changed scope (S:C) elevates real-world impact by enabling session hijacking or credential theft against higher-privileged users such as authors or administrators.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses a page containing the poisoned field, the script executes in their browser - with scope change (S:C) meaning the injected payload can affect resources and sessions beyond the origin of the vulnerable component itself. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields. When a victim - such as an administrator - browses a page containing the injected payload, the script executes in their browser session, enabling session hijacking, credential theft, or privilege escalation within the AEM instance. The CVSS Scope:Changed designation elevates practical risk above the medium base score of 5.4, as impact extends beyond the attacker's own session to the victim's browser context. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any victim user subsequently browses to the page hosting the injected content, the script executes in their browser - outside AEM's security boundary (CVSS S:C, scope changed) - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in any victim's browser upon page visit. Affected versions span the 6.5.x LTS line through 6.5.24 and LTS SP1, as well as cloud-service releases through 2026.04. The CVSS Scope:Changed designation confirms the payload can affect browser contexts beyond the attacker's own session - elevating concern for privilege escalation against higher-privileged users such as administrators. No public exploit identified at time of analysis and no CISA KEV listing observed.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persist malicious JavaScript payloads inside vulnerable form fields. When a higher-privileged user - such as an administrator or editor - later browses the affected page, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions on the victim's behalf. The CVSS Scope:Changed designation confirms the exploit transcends the attacker's own privilege boundary; no public exploit has been identified and CISA SSVC assessment rates exploitation as none at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript inside vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. The CVSS scope-change flag (S:C) reflects that the injected code breaks out of AEM's server-side security boundary and runs in the victim's browser context, enabling session hijacking or credential theft against higher-privileged users such as administrators. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and broad AEM enterprise deployment surface make this a credible lateral-escalation vector inside organizations.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users - including higher-privileged ones - who subsequently visit the affected page. Affected versions span 6.5.24, LTS SP1, and 2026.04 and earlier. The CVSS Scope:Changed designation indicates that successful exploitation can impact components beyond the attacker's privilege boundary, elevating the practical impact of an otherwise medium-severity finding. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 2026.04 and earlier allows an authenticated low-privileged attacker to permanently inject malicious JavaScript into vulnerable form fields within the CMS. When any user - including administrators - browses to the page containing the poisoned field, the script executes in their browser under AEM's origin, with scope change (S:C) enabling the attacker to affect browser context beyond AEM's own security boundary. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low access complexity and persistent nature of the payload make this a credible threat in multi-tenant or contributor-accessible AEM environments.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users who visit the affected page. Affected versions span the 6.5.x branch (through 6.5.24), the LTS SP1 track, and the cloud-native 2026.04 release and earlier. The scope-changed CVSS rating reflects that the injected payload crosses the security boundary from the attacker's session context to arbitrary victim sessions, enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields, executing in the browser of any user who subsequently views the affected page. The CVSS Scope Changed (S:C) designation confirms the injected script crosses trust boundaries, meaning payloads can target administrator sessions, exfiltrate tokens, or perform privileged actions beyond the AEM application context. Adobe has published advisory APSB26-56 addressing this issue; no public exploit has been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows an authenticated low-privileged attacker to inject and execute arbitrary JavaScript within a victim's browser by manipulating the client-side DOM environment through a crafted webpage. Successful exploitation results in a scope change (S:C), meaning attacker-controlled script can reach resources beyond the vulnerable AEM component - such as session tokens or cross-origin content accessible to the victim. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though Adobe's own PSIRT reported it under advisory APSB26-56.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject and execute malicious JavaScript within a victim's browser by manipulating the Document Object Model. The CVSS Scope:Changed rating signals that successful exploitation breaks out of the vulnerable component's security boundary, enabling impact on resources beyond AEM itself - such as adjacent browser sessions or stored credentials. No public exploit identified at time of analysis, and CISA KEV listing is absent, but the low attack complexity and changed scope make this a meaningful risk for organizations running AEM with untrusted low-privilege users.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject malicious scripts into vulnerable form fields, which then execute in any victim's browser when they navigate to the affected page. The Changed scope (S:C) in the CVSS vector confirms that impact escapes the vulnerable component and reaches the victim's browser context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager (versions up to 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform. When a higher-privileged user - such as an administrator or content editor - subsequently browses to a page containing the poisoned field, the injected script executes in their browser, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; Adobe has published advisory APSB26-56 to address this issue.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to the affected page, the script executes in their browser within a changed scope context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the Adobe APSB26-56 advisory provides remediation guidance.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) permits a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields, which then executes in any victim's browser upon visiting the affected page. The CVSS scope change (S:C) indicates the injected script can impact browser contexts beyond AEM itself - enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) allows a low-privileged authenticated attacker to permanently inject malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses to the page containing the tainted field, the script executes in their browser under a changed scope (S:C), meaning the impact extends beyond the originating application context. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, but the low attack complexity and broad version range make this a realistic internal threat in multi-tenant AEM environments.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields. When any user - including administrators - browses to the affected page, the injected script executes within their browser session. The CVSS Scope:Changed rating confirms the exploit crosses security boundaries: the attacker's injected payload affects victims beyond the attacker's own session, enabling session hijacking, credential theft, or privilege escalation in a CMS where administrators hold significant content control. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored XSS in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields via the AEM authoring interface. When any victim browses a page containing the compromised field, the injected script executes within their browser - the CVSS Scope Changed (S:C) flag confirms the impact crosses trust boundaries beyond the AEM application itself, enabling session theft or unauthorized actions on behalf of higher-privileged users. No public exploit identified at time of analysis; Adobe has published advisory APSB26-56 addressing this issue.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged remote attacker to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The changed scope (S:C in CVSS) means successful exploitation can affect resources beyond the vulnerable component itself, enabling session hijacking or credential theft against AEM users. Exploitation requires user interaction - the victim must be social-engineered into visiting an attacker-controlled or injected URL - and no public exploit or CISA KEV listing exists at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject malicious JavaScript that executes entirely within the victim's browser by manipulating client-side DOM sinks. The CVSS scope change (S:C) signal indicates successful exploitation can affect browser components beyond the AEM instance itself - enabling session hijacking or unauthorized actions on behalf of the victim. Adobe PSIRT has issued Security Bulletin APSB26-56 covering this issue; no public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected Cross-Site Scripting in Adobe Experience Manager Forms JEE (LTS SP1 and 6.5.24.0 and earlier) allows remote unauthenticated attackers to execute arbitrary script in a victim's browser session, potentially hijacking accounts or escalating privileges within the AEM Forms environment. The Scope:Changed flag in the CVSS vector indicates the impact extends beyond the vulnerable component, which combined with High confidentiality and integrity impacts yields a CVSS of 8.0. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager Forms JEE (versions LTS SP1 and 6.5.24.0 and earlier) permits a high-privileged attacker to inject persistent JavaScript into vulnerable form fields, which then executes in any victim's browser that renders the affected page. The CVSS Scope Change (S:C) signal confirms the injected script's impact crosses security boundaries beyond the AEM Forms application itself, enabling session hijacking or cross-origin actions against browsing victims. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, with the CVSS score of 5.9 (Medium) reflecting the high-privilege prerequisite that limits the attacker pool.
Stored cross-site scripting in Adobe Experience Manager Forms JEE LTS SP1 and 6.5.24.0 and earlier allows remote unauthenticated attackers to inject malicious JavaScript into vulnerable form fields that executes in victims' browsers when they visit the affected page. The scope-changed CVSS 9.3 reflects that the injected script can pivot beyond the vulnerable component to compromise the victim's authenticated session or account. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch - ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing.] are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.
Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided.
Magento LTS prior to version 20.17.0 allows authenticated attackers to access private wishlist items from other users via an authorization bypass in the shared wishlist add-to-cart endpoint. The vulnerability permits an attacker with a valid sharing code for one wishlist to import items from a different victim's wishlist into their cart by manipulating the wishlist_item_id parameter, potentially exposing private custom option data and enabling cross-user file disclosure when file upload custom options are present. CVSS 5.3 (AV:N/AC:L/PR:L) indicates network-accessible exploitation requiring low privileges; patch version 20.17.0 resolves the issue.
OpenMage LTS Dataflow module prior to version 20.17.0 allows authenticated administrators to read arbitrary files via a bypassable path traversal filter that uses simple string replacement (`str_replace('../', '', $input)`). Attackers can circumvent the blacklist by using nested patterns like `..././` or `....//` which resolve to valid `../` sequences after filtering. Remote administrative access is required, but the high confidentiality impact and confirmed patch availability make immediate patching necessary for affected deployments.
Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.
Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited this vulnerability by manipulating the search path used by the application to locate critical resources, potentially causing unauthorized code execution. Exploitation of this issue required user interaction in that a user had to be running the installer.
Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier allows local attackers to disclose sensitive information from process memory without user privileges, requiring only that a victim open a malicious document. CVSS 5.5 reflects confidentiality impact with low attack complexity, though no active exploitation or public proof-of-concept has been confirmed at analysis time.
Adobe FrameMaker 2022.8 and earlier suffers from uninitialized pointer access that leaks sensitive memory contents to local attackers. The vulnerability requires user interaction-a victim must open a specially crafted file-but once triggered, it bypasses memory protections and exposes confidential data without requiring authentication or modifying files. CVSS 5.5 reflects moderate severity (local attack vector, high confidentiality impact) with no public exploit identified at time of analysis.
Adobe FrameMaker 2022.8 and earlier allows arbitrary file system read through improper input validation when a user opens a malicious file, enabling attackers to access sensitive data on the victim's system. The vulnerability requires user interaction and is classified as information disclosure with a CVSS score of 6.3. No active exploitation or public exploit code has been identified at the time of analysis.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code with current user privileges via maliciously crafted files. The type confusion vulnerability (CWE-843) requires user interaction to open a weaponized document. CVSS 7.8 (High) reflects significant impact (full confidentiality, integrity, availability compromise) once exploitation succeeds. No public exploit identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote exploitation risk.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code in user context by delivering malicious FrameMaker documents that trigger integer underflow during file parsing. Attack requires social engineering to convince targets to open crafted files. No public exploit identified at time of analysis, though CVSS 7.8 severity reflects high impact across confidentiality, integrity, and availability if successfully exploited.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files exploiting an integer underflow. Attack requires user interaction (opening a malicious file). CVSS 7.8 (High) reflects local attack vector with low complexity. No public exploit identified at time of analysis, and EPSS data not provided. Vendor advisory available at Adobe PSIRT (APSB26-36).
Out-of-bounds write in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open specially crafted malicious files. The vulnerability achieves full confidentiality, integrity, and availability impact (CVSS 7.8 HIGH) but requires local access and user interaction, limiting immediate risk. No public exploit identified at time of analysis, and exploitation requires social engineering to deliver the malicious file to victims.
Out-of-bounds read in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open malicious crafted files. Exploitation requires local access and user interaction (CVSS 7.8, AV:L/UI:R), allowing attackers to execute code with current user privileges and achieve high confidentiality, integrity, and availability impact. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Adobe has released security bulletin APSB26-36 addressing this vulnerability.
Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. Attack requires local access and user interaction (CVSS 7.8, AV:L/UI:R), limiting remote exploitation scenarios. No public exploit identified at time of analysis. EPSS data not available, and vulnerability not listed in CISA KEV, suggesting exploitation remains theoretical despite the high CVSS score.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges by tricking victims into opening specially crafted files. This use-after-free memory corruption vulnerability requires no authentication but depends on user interaction. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote threat surface compared to network-accessible vulnerabilities.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier via DLL hijacking/search path manipulation allows local attackers to run malicious code in user context without interaction. CVSS 8.6 severity stems from changed scope and high confidentiality/integrity/availability impact despite local attack vector. No public exploit identified at time of analysis. EPSS data not available for this recent CVE. Vendor patch released per Adobe Security Bulletin APSB26-36.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and earlier allows authenticated attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious webpage that manipulates the DOM environment. The vulnerability requires user interaction and results in limited confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager 6.5.24 and FP11.7 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by crafting malicious web pages that manipulate the DOM environment, requiring user interaction to trigger the attack. CVSS 5.4 reflects moderate severity with network-accessible attack surface but limited scope impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and FP11.7 earlier allows authenticated users to execute arbitrary JavaScript in victims' browsers by crafting malicious webpages that manipulate the DOM environment. The vulnerability requires user interaction (victim must visit a crafted page) and affects the confidentiality and integrity of user sessions within the AEM application context. CVSS 5.4 reflects the moderate severity; no public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager versions FP11.7 and earlier allows authenticated attackers to inject malicious JavaScript into form fields, which executes in victims' browsers with limited impact (confidentiality and integrity). The vulnerability requires user interaction (victim must view the affected page) and authenticated access, resulting in a CVSS 5.4 (medium) score. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge.
Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible.
Reflected cross-site scripting (XSS) in Adobe Connect 2025.3, 12.10, and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a crafted URL, potentially compromising user session data and performing actions on behalf of the victim. The vulnerability affects multiple versions across a wide product scope and requires user interaction (clicking a malicious link) to trigger. No public exploit code or active exploitation has been confirmed at the time of analysis.
DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat.
Reflected Cross-Site Scripting in Adobe Connect versions 12.10 and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by distributing a malicious URL. The vulnerability requires user interaction (clicking a link) and can affect the confidentiality and integrity of user sessions across different origins due to changed scope. No public exploit code or active exploitation has been confirmed at this time.
Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score.
Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory.
Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level.
Prototype pollution in Adobe Acrobat Reader allows arbitrary code execution when victims open malicious PDF files. Affects Acrobat Reader versions through 26.001.21411, 24.001.30360, and 24.001.30362. Attack requires local file access with user interaction (CVSS AV:L/UI:R) but achieves scope change and full CIA impact (S:C/C:H/I:H/A:H), yielding CVSS 8.6. No public exploit identified at time of analysis. Vendor advisory available from Adobe (APSB26-44). EPSS data not provided; exploitation status limited to user-interaction-dependent local attack vector.
Prototype pollution in Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier allows arbitrary file system read operations in the context of the current user when a victim opens a malicious PDF or document. The vulnerability requires user interaction but enables confidentiality compromise with high impact; no active exploitation confirmed but the attack surface is broad given Acrobat Reader's ubiquity in document handling.
Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.
Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 permit attackers to bypass security features and degrade data integrity and availability with no user interaction required. The vulnerability affects multiple Adobe Commerce and Magento B2B product lines, though exploitation requires specific conditions outside the attacker's direct control. No patch is currently available for this medium-severity flaw.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.
Security feature bypass in Adobe Commerce and Magento versions 2.4.4-p16 through 2.4.9-alpha3 results from improper input validation, allowing unauthenticated remote attackers to compromise the integrity of affected systems without user interaction. The vulnerability affects multiple product lines including Commerce B2B, with no patch currently available. The medium severity rating reflects limited impact scope, though the network-accessible attack vector presents a meaningful risk to exposed instances.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from improper access controls that allow attackers to bypass security features and view sensitive information without authentication or user interaction. Multiple supported versions remain vulnerable as no patch is currently available.
Improper authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow authenticated attackers to bypass security features and access restricted functionality without requiring user interaction. The vulnerability affects multiple Commerce and B2B product lines, enabling low-privileged users to gain unauthorized access to sensitive features. No patch is currently available for this issue.
Incorrect authorization in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers to bypass security controls and view sensitive data without user interaction. The vulnerability stems from improper access control checks that enable low-privileged users to access information they should not be able to view. Currently, no patch is available for affected versions.
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. [CVSS 3.1 LOW]
Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.
Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.
Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.
Stored XSS in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform's content authoring interface. When a victim - typically an administrator or higher-privileged user - browses the page containing the injected field, the script executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; however, the changed scope (S:C) in the CVSS vector elevates the effective impact beyond the originating component, making this a meaningful risk in environments with untrusted low-privilege authors.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables low-privileged authenticated attackers to inject persistent malicious JavaScript into vulnerable form fields, which then executes in the browsers of users who visit the affected pages. The CVSS Scope:Changed designation means injected scripts can breach the security context of the AEM application itself, potentially affecting other browser-accessible resources. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in other users' browsers upon page load. Affected versions span the 6.5.x branch through 6.5.24, the LTS SP1 track, and cloud-native releases through 2026.04. No public exploit code or active exploitation has been identified at time of analysis; however, the changed scope (S:C) elevates real-world impact by enabling session hijacking or credential theft against higher-privileged users such as authors or administrators.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses a page containing the poisoned field, the script executes in their browser - with scope change (S:C) meaning the injected payload can affect resources and sessions beyond the origin of the vulnerable component itself. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields. When a victim - such as an administrator - browses a page containing the injected payload, the script executes in their browser session, enabling session hijacking, credential theft, or privilege escalation within the AEM instance. The CVSS Scope:Changed designation elevates practical risk above the medium base score of 5.4, as impact extends beyond the attacker's own session to the victim's browser context. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any victim user subsequently browses to the page hosting the injected content, the script executes in their browser - outside AEM's security boundary (CVSS S:C, scope changed) - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in any victim's browser upon page visit. Affected versions span the 6.5.x LTS line through 6.5.24 and LTS SP1, as well as cloud-service releases through 2026.04. The CVSS Scope:Changed designation confirms the payload can affect browser contexts beyond the attacker's own session - elevating concern for privilege escalation against higher-privileged users such as administrators. No public exploit identified at time of analysis and no CISA KEV listing observed.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persist malicious JavaScript payloads inside vulnerable form fields. When a higher-privileged user - such as an administrator or editor - later browses the affected page, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions on the victim's behalf. The CVSS Scope:Changed designation confirms the exploit transcends the attacker's own privilege boundary; no public exploit has been identified and CISA SSVC assessment rates exploitation as none at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript inside vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. The CVSS scope-change flag (S:C) reflects that the injected code breaks out of AEM's server-side security boundary and runs in the victim's browser context, enabling session hijacking or credential theft against higher-privileged users such as administrators. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and broad AEM enterprise deployment surface make this a credible lateral-escalation vector inside organizations.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users - including higher-privileged ones - who subsequently visit the affected page. Affected versions span 6.5.24, LTS SP1, and 2026.04 and earlier. The CVSS Scope:Changed designation indicates that successful exploitation can impact components beyond the attacker's privilege boundary, elevating the practical impact of an otherwise medium-severity finding. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 2026.04 and earlier allows an authenticated low-privileged attacker to permanently inject malicious JavaScript into vulnerable form fields within the CMS. When any user - including administrators - browses to the page containing the poisoned field, the script executes in their browser under AEM's origin, with scope change (S:C) enabling the attacker to affect browser context beyond AEM's own security boundary. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low access complexity and persistent nature of the payload make this a credible threat in multi-tenant or contributor-accessible AEM environments.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users who visit the affected page. Affected versions span the 6.5.x branch (through 6.5.24), the LTS SP1 track, and the cloud-native 2026.04 release and earlier. The scope-changed CVSS rating reflects that the injected payload crosses the security boundary from the attacker's session context to arbitrary victim sessions, enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields, executing in the browser of any user who subsequently views the affected page. The CVSS Scope Changed (S:C) designation confirms the injected script crosses trust boundaries, meaning payloads can target administrator sessions, exfiltrate tokens, or perform privileged actions beyond the AEM application context. Adobe has published advisory APSB26-56 addressing this issue; no public exploit has been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows an authenticated low-privileged attacker to inject and execute arbitrary JavaScript within a victim's browser by manipulating the client-side DOM environment through a crafted webpage. Successful exploitation results in a scope change (S:C), meaning attacker-controlled script can reach resources beyond the vulnerable AEM component - such as session tokens or cross-origin content accessible to the victim. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though Adobe's own PSIRT reported it under advisory APSB26-56.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject and execute malicious JavaScript within a victim's browser by manipulating the Document Object Model. The CVSS Scope:Changed rating signals that successful exploitation breaks out of the vulnerable component's security boundary, enabling impact on resources beyond AEM itself - such as adjacent browser sessions or stored credentials. No public exploit identified at time of analysis, and CISA KEV listing is absent, but the low attack complexity and changed scope make this a meaningful risk for organizations running AEM with untrusted low-privilege users.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject malicious scripts into vulnerable form fields, which then execute in any victim's browser when they navigate to the affected page. The Changed scope (S:C) in the CVSS vector confirms that impact escapes the vulnerable component and reaches the victim's browser context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager (versions up to 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform. When a higher-privileged user - such as an administrator or content editor - subsequently browses to a page containing the poisoned field, the injected script executes in their browser, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; Adobe has published advisory APSB26-56 to address this issue.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to the affected page, the script executes in their browser within a changed scope context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the Adobe APSB26-56 advisory provides remediation guidance.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) permits a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields, which then executes in any victim's browser upon visiting the affected page. The CVSS scope change (S:C) indicates the injected script can impact browser contexts beyond AEM itself - enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) allows a low-privileged authenticated attacker to permanently inject malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses to the page containing the tainted field, the script executes in their browser under a changed scope (S:C), meaning the impact extends beyond the originating application context. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, but the low attack complexity and broad version range make this a realistic internal threat in multi-tenant AEM environments.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields. When any user - including administrators - browses to the affected page, the injected script executes within their browser session. The CVSS Scope:Changed rating confirms the exploit crosses security boundaries: the attacker's injected payload affects victims beyond the attacker's own session, enabling session hijacking, credential theft, or privilege escalation in a CMS where administrators hold significant content control. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored XSS in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields via the AEM authoring interface. When any victim browses a page containing the compromised field, the injected script executes within their browser - the CVSS Scope Changed (S:C) flag confirms the impact crosses trust boundaries beyond the AEM application itself, enabling session theft or unauthorized actions on behalf of higher-privileged users. No public exploit identified at time of analysis; Adobe has published advisory APSB26-56 addressing this issue.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged remote attacker to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The changed scope (S:C in CVSS) means successful exploitation can affect resources beyond the vulnerable component itself, enabling session hijacking or credential theft against AEM users. Exploitation requires user interaction - the victim must be social-engineered into visiting an attacker-controlled or injected URL - and no public exploit or CISA KEV listing exists at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject malicious JavaScript that executes entirely within the victim's browser by manipulating client-side DOM sinks. The CVSS scope change (S:C) signal indicates successful exploitation can affect browser components beyond the AEM instance itself - enabling session hijacking or unauthorized actions on behalf of the victim. Adobe PSIRT has issued Security Bulletin APSB26-56 covering this issue; no public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected Cross-Site Scripting in Adobe Experience Manager Forms JEE (LTS SP1 and 6.5.24.0 and earlier) allows remote unauthenticated attackers to execute arbitrary script in a victim's browser session, potentially hijacking accounts or escalating privileges within the AEM Forms environment. The Scope:Changed flag in the CVSS vector indicates the impact extends beyond the vulnerable component, which combined with High confidentiality and integrity impacts yields a CVSS of 8.0. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager Forms JEE (versions LTS SP1 and 6.5.24.0 and earlier) permits a high-privileged attacker to inject persistent JavaScript into vulnerable form fields, which then executes in any victim's browser that renders the affected page. The CVSS Scope Change (S:C) signal confirms the injected script's impact crosses security boundaries beyond the AEM Forms application itself, enabling session hijacking or cross-origin actions against browsing victims. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, with the CVSS score of 5.9 (Medium) reflecting the high-privilege prerequisite that limits the attacker pool.
Stored cross-site scripting in Adobe Experience Manager Forms JEE LTS SP1 and 6.5.24.0 and earlier allows remote unauthenticated attackers to inject malicious JavaScript into vulnerable form fields that executes in victims' browsers when they visit the affected page. The scope-changed CVSS 9.3 reflects that the injected script can pivot beyond the vulnerable component to compromise the victim's authenticated session or account. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch - ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing.] are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.
Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided.
Magento LTS prior to version 20.17.0 allows authenticated attackers to access private wishlist items from other users via an authorization bypass in the shared wishlist add-to-cart endpoint. The vulnerability permits an attacker with a valid sharing code for one wishlist to import items from a different victim's wishlist into their cart by manipulating the wishlist_item_id parameter, potentially exposing private custom option data and enabling cross-user file disclosure when file upload custom options are present. CVSS 5.3 (AV:N/AC:L/PR:L) indicates network-accessible exploitation requiring low privileges; patch version 20.17.0 resolves the issue.
OpenMage LTS Dataflow module prior to version 20.17.0 allows authenticated administrators to read arbitrary files via a bypassable path traversal filter that uses simple string replacement (`str_replace('../', '', $input)`). Attackers can circumvent the blacklist by using nested patterns like `..././` or `....//` which resolve to valid `../` sequences after filtering. Remote administrative access is required, but the high confidentiality impact and confirmed patch availability make immediate patching necessary for affected deployments.
Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.
Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited this vulnerability by manipulating the search path used by the application to locate critical resources, potentially causing unauthorized code execution. Exploitation of this issue required user interaction in that a user had to be running the installer.
Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier allows local attackers to disclose sensitive information from process memory without user privileges, requiring only that a victim open a malicious document. CVSS 5.5 reflects confidentiality impact with low attack complexity, though no active exploitation or public proof-of-concept has been confirmed at analysis time.
Adobe FrameMaker 2022.8 and earlier suffers from uninitialized pointer access that leaks sensitive memory contents to local attackers. The vulnerability requires user interaction-a victim must open a specially crafted file-but once triggered, it bypasses memory protections and exposes confidential data without requiring authentication or modifying files. CVSS 5.5 reflects moderate severity (local attack vector, high confidentiality impact) with no public exploit identified at time of analysis.
Adobe FrameMaker 2022.8 and earlier allows arbitrary file system read through improper input validation when a user opens a malicious file, enabling attackers to access sensitive data on the victim's system. The vulnerability requires user interaction and is classified as information disclosure with a CVSS score of 6.3. No active exploitation or public exploit code has been identified at the time of analysis.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code with current user privileges via maliciously crafted files. The type confusion vulnerability (CWE-843) requires user interaction to open a weaponized document. CVSS 7.8 (High) reflects significant impact (full confidentiality, integrity, availability compromise) once exploitation succeeds. No public exploit identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote exploitation risk.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code in user context by delivering malicious FrameMaker documents that trigger integer underflow during file parsing. Attack requires social engineering to convince targets to open crafted files. No public exploit identified at time of analysis, though CVSS 7.8 severity reflects high impact across confidentiality, integrity, and availability if successfully exploited.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files exploiting an integer underflow. Attack requires user interaction (opening a malicious file). CVSS 7.8 (High) reflects local attack vector with low complexity. No public exploit identified at time of analysis, and EPSS data not provided. Vendor advisory available at Adobe PSIRT (APSB26-36).
Out-of-bounds write in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open specially crafted malicious files. The vulnerability achieves full confidentiality, integrity, and availability impact (CVSS 7.8 HIGH) but requires local access and user interaction, limiting immediate risk. No public exploit identified at time of analysis, and exploitation requires social engineering to deliver the malicious file to victims.
Out-of-bounds read in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open malicious crafted files. Exploitation requires local access and user interaction (CVSS 7.8, AV:L/UI:R), allowing attackers to execute code with current user privileges and achieve high confidentiality, integrity, and availability impact. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Adobe has released security bulletin APSB26-36 addressing this vulnerability.
Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. Attack requires local access and user interaction (CVSS 7.8, AV:L/UI:R), limiting remote exploitation scenarios. No public exploit identified at time of analysis. EPSS data not available, and vulnerability not listed in CISA KEV, suggesting exploitation remains theoretical despite the high CVSS score.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges by tricking victims into opening specially crafted files. This use-after-free memory corruption vulnerability requires no authentication but depends on user interaction. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote threat surface compared to network-accessible vulnerabilities.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier via DLL hijacking/search path manipulation allows local attackers to run malicious code in user context without interaction. CVSS 8.6 severity stems from changed scope and high confidentiality/integrity/availability impact despite local attack vector. No public exploit identified at time of analysis. EPSS data not available for this recent CVE. Vendor patch released per Adobe Security Bulletin APSB26-36.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and earlier allows authenticated attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious webpage that manipulates the DOM environment. The vulnerability requires user interaction and results in limited confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager 6.5.24 and FP11.7 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by crafting malicious web pages that manipulate the DOM environment, requiring user interaction to trigger the attack. CVSS 5.4 reflects moderate severity with network-accessible attack surface but limited scope impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and FP11.7 earlier allows authenticated users to execute arbitrary JavaScript in victims' browsers by crafting malicious webpages that manipulate the DOM environment. The vulnerability requires user interaction (victim must visit a crafted page) and affects the confidentiality and integrity of user sessions within the AEM application context. CVSS 5.4 reflects the moderate severity; no public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager versions FP11.7 and earlier allows authenticated attackers to inject malicious JavaScript into form fields, which executes in victims' browsers with limited impact (confidentiality and integrity). The vulnerability requires user interaction (victim must view the affected page) and authenticated access, resulting in a CVSS 5.4 (medium) score. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge.
Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible.
Reflected cross-site scripting (XSS) in Adobe Connect 2025.3, 12.10, and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a crafted URL, potentially compromising user session data and performing actions on behalf of the victim. The vulnerability affects multiple versions across a wide product scope and requires user interaction (clicking a malicious link) to trigger. No public exploit code or active exploitation has been confirmed at the time of analysis.
DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat.
Reflected Cross-Site Scripting in Adobe Connect versions 12.10 and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by distributing a malicious URL. The vulnerability requires user interaction (clicking a link) and can affect the confidentiality and integrity of user sessions across different origins due to changed scope. No public exploit code or active exploitation has been confirmed at this time.
Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score.
Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory.
Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level.
Prototype pollution in Adobe Acrobat Reader allows arbitrary code execution when victims open malicious PDF files. Affects Acrobat Reader versions through 26.001.21411, 24.001.30360, and 24.001.30362. Attack requires local file access with user interaction (CVSS AV:L/UI:R) but achieves scope change and full CIA impact (S:C/C:H/I:H/A:H), yielding CVSS 8.6. No public exploit identified at time of analysis. Vendor advisory available from Adobe (APSB26-44). EPSS data not provided; exploitation status limited to user-interaction-dependent local attack vector.
Prototype pollution in Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier allows arbitrary file system read operations in the context of the current user when a victim opens a malicious PDF or document. The vulnerability requires user interaction but enables confidentiality compromise with high impact; no active exploitation confirmed but the attack surface is broad given Acrobat Reader's ubiquity in document handling.
Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.
Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 permit attackers to bypass security features and degrade data integrity and availability with no user interaction required. The vulnerability affects multiple Adobe Commerce and Magento B2B product lines, though exploitation requires specific conditions outside the attacker's direct control. No patch is currently available for this medium-severity flaw.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.
Security feature bypass in Adobe Commerce and Magento versions 2.4.4-p16 through 2.4.9-alpha3 results from improper input validation, allowing unauthenticated remote attackers to compromise the integrity of affected systems without user interaction. The vulnerability affects multiple product lines including Commerce B2B, with no patch currently available. The medium severity rating reflects limited impact scope, though the network-accessible attack vector presents a meaningful risk to exposed instances.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from improper access controls that allow attackers to bypass security features and view sensitive information without authentication or user interaction. Multiple supported versions remain vulnerable as no patch is currently available.
Improper authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow authenticated attackers to bypass security features and access restricted functionality without requiring user interaction. The vulnerability affects multiple Commerce and B2B product lines, enabling low-privileged users to gain unauthorized access to sensitive features. No patch is currently available for this issue.
Incorrect authorization in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers to bypass security controls and view sensitive data without user interaction. The vulnerability stems from improper access control checks that enable low-privileged users to access information they should not be able to view. Currently, no patch is available for affected versions.
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. [CVSS 3.1 LOW]
Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.
Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.
Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.