5603
CVEs
1345
Critical
2131
High
67
KEV
300
PoC
1378
Unpatched C/H
52.2%
Patch Rate
6.8%
Avg EPSS
Severity Breakdown
CRITICAL
1345
HIGH
2131
MEDIUM
2026
LOW
101
Monthly CVE Trend
Affected Products (30)
Acrobat Reader Dc
1611
Acrobat Dc
1611
Acrobat
1078
Experience Manager
904
Flash Player
869
Acrobat Reader
801
Air Sdk
404
Magento
361
Air
361
Air Sdk Compiler
360
Reader
351
Flash Player Desktop Runtime
284
Commerce
159
Experience Manager Cloud Service
154
Adobe Air
102
Dimension
99
Enterprise Linux Workstation
99
Framemaker
99
Enterprise Linux Desktop
99
Bridge
95
Adobe Air Sdk
95
Enterprise Linux Server
90
Commerce B2b
88
Air Desktop Runtime
85
Photoshop Cc
77
Coldfusion
76
Opensuse
76
Indesign
73
Illustrator
72
Digital Editions
68
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2015-5119 | Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitrary code via crafted Flash content exploiting a use-after-free flaw in the ByteArray class. Confirmed actively exploited (CISA KEV) in July 2015 following the Hacking Team data breach, which exposed weaponized exploit code targeting this vulnerability. With EPSS score of 93.21% (100th percentile) and publicly available proof-of-concept, this represents critical risk to unpatched Flash installations across Windows, OS X, and Linux platforms. Vendor-released patches available via Adobe APSB15-16. | CRITICAL | 9.8 | 93.2% | 237 |
KEV
PoC
|
| CVE-2016-4117 | Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute arbitrary code without user interaction. Confirmed actively exploited (CISA KEV) in May 2016 with public exploit code available. EPSS score of 92.76% (100th percentile) reflects the extreme likelihood of exploitation. This was a critical zero-day vulnerability used in targeted attacks before Adobe released emergency patches in APSA16-02 and APSB16-15. | CRITICAL | 9.8 | 92.8% | 237 |
KEV
PoC
No patch
|
| CVE-2015-3113 | Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in June 2015 by APT3 (a Chinese cyber espionage group) in phishing campaigns targeting aerospace and defense organizations. | CRITICAL | 9.8 | 92.4% | 236 |
KEV
PoC
|
| CVE-2011-2462 | Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote code execution, exploited as a zero-day in December 2011 through crafted PDF files. | CRITICAL | 9.8 | 91.9% | 236 |
KEV
PoC
No patch
|
| CVE-2011-0611 | Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute arbitrary code via malicious SWF content, actively exploited in targeted attacks in April 2011. | HIGH | 8.8 | 93.6% | 233 |
KEV
PoC
|
| CVE-2009-0927 | Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab object that allows remote attackers to execute arbitrary code via a crafted PDF argument. | HIGH | 8.8 | 93.3% | 232 |
KEV
PoC
|
| CVE-2014-0497 | Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 93.1% | 227 |
KEV
PoC
|
| CVE-2009-4324 | Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was actively exploited as a zero-day in December 2009 via crafted PDF files with ZLib compressed streams. | HIGH | 7.8 | 92.9% | 227 |
KEV
PoC
No patch
|
| CVE-2015-0313 | Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 92.8% | 227 |
KEV
PoC
|
| CVE-2015-5122 | Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 92.8% | 227 |
KEV
PoC
No patch
|
| CVE-2015-0311 | Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 92.7% | 227 |
KEV
PoC
|
| CVE-2013-0632 | administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 92.7% | 227 |
KEV
PoC
No patch
|
| CVE-2011-0609 | Adobe Flash Player 10.2 and earlier across all platforms contain an unspecified vulnerability allowing remote code execution, exploited in the wild via Flash content embedded in Microsoft Office documents and web pages. | HIGH | 7.8 | 92.0% | 226 |
KEV
PoC
No patch
|
| CVE-2013-3346 | Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 89.9% | 224 |
KEV
PoC
No patch
|
| CVE-2017-3066 | Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization flaws in the bundled Apache BlazeDS library. This critical vulnerability affects ColdFusion 10 (all updates through 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3). CISA confirms active exploitation in the wild with publicly available exploit code (Exploit-DB 43993), and EPSS scoring at 93.36% (100th percentile) indicates extremely high real-world exploitation likelihood. The network-accessible attack vector requiring no authentication or user interaction makes this a top-priority remediation target for any organization running affected ColdFusion versions. | CRITICAL | 9.8 | 93.4% | 222 |
KEV
PoC
|