536
CVEs
21
Critical
130
High
14
KEV
14
PoC
120
Unpatched C/H
11.9%
Patch Rate
2.2%
Avg EPSS
Severity Breakdown
CRITICAL
21
HIGH
130
MEDIUM
373
LOW
12
Monthly CVE Trend
Affected Products (30)
Experience Manager
279
Commerce B2b
66
Magento
57
Commerce
56
Framemaker
30
Acrobat
15
Acrobat Dc
15
Acrobat Reader Dc
15
Indesign
13
Acrobat Reader
12
Illustrator
9
Pdf Xchange Editor
7
Pdf Tools
7
Substance 3d Stager
6
Connect
5
PHP
4
Prototype Pollution
3
Open Redirect
2
Experience Manager Forms
2
Incopy
2
Pdf Xchange Pro
2
Java
2
Jwt Attack
2
Experience Manager Screens
1
OpenSSL
1
Psd Tools
1
Python
1
Substance 3d Painter
1
Substance 3d Sampler
1
Imagemagick
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2017-3066 | Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization flaws in the bundled Apache BlazeDS library. This critical vulnerability affects ColdFusion 10 (all updates through 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3). CISA confirms active exploitation in the wild with publicly available exploit code (Exploit-DB 43993), and EPSS scoring at 93.36% (100th percentile) indicates extremely high real-world exploitation likelihood. The network-accessible attack vector requiring no authentication or user interaction makes this a top-priority remediation target for any organization running affected ColdFusion versions. | CRITICAL | 9.8 | 93.4% | 222 |
KEV
PoC
|
| CVE-2015-5119 | Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitrary code via crafted Flash content exploiting a use-after-free flaw in the ByteArray class. Confirmed actively exploited (CISA KEV) in July 2015 following the Hacking Team data breach, which exposed weaponized exploit code targeting this vulnerability. With EPSS score of 93.21% (100th percentile) and publicly available proof-of-concept, this represents critical risk to unpatched Flash installations across Windows, OS X, and Linux platforms. Vendor-released patches available via Adobe APSB15-16. | CRITICAL | 9.8 | 93.2% | 222 |
KEV
PoC
|
| CVE-2016-4117 | Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute arbitrary code without user interaction. Confirmed actively exploited (CISA KEV) in May 2016 with public exploit code available. EPSS score of 92.76% (100th percentile) reflects the extreme likelihood of exploitation. This was a critical zero-day vulnerability used in targeted attacks before Adobe released emergency patches in APSA16-02 and APSB16-15. | CRITICAL | 9.8 | 92.8% | 222 |
KEV
PoC
No patch
|
| CVE-2015-3113 | Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in June 2015 by APT3 (a Chinese cyber espionage group) in phishing campaigns targeting aerospace and defense organizations. | CRITICAL | 9.8 | 92.4% | 221 |
KEV
PoC
|
| CVE-2011-2462 | Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote code execution, exploited as a zero-day in December 2011 through crafted PDF files. | CRITICAL | 9.8 | 91.9% | 221 |
KEV
PoC
No patch
|
| CVE-2011-0611 | Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute arbitrary code via malicious SWF content, actively exploited in targeted attacks in April 2011. | HIGH | 8.8 | 93.6% | 218 |
KEV
PoC
|
| CVE-2009-0927 | Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab object that allows remote attackers to execute arbitrary code via a crafted PDF argument. | HIGH | 8.8 | 93.3% | 217 |
KEV
PoC
|
| CVE-2009-4324 | Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was actively exploited as a zero-day in December 2009 via crafted PDF files with ZLib compressed streams. | HIGH | 7.8 | 92.9% | 212 |
KEV
PoC
No patch
|
| CVE-2011-0609 | Adobe Flash Player 10.2 and earlier across all platforms contain an unspecified vulnerability allowing remote code execution, exploited in the wild via Flash content embedded in Microsoft Office documents and web pages. | HIGH | 7.8 | 92.0% | 211 |
KEV
PoC
No patch
|
| CVE-2015-8651 | Remote code execution in Adobe Flash Player allows network attackers to execute arbitrary code via integer overflow exploitation. Confirmed actively exploited (CISA KEV) with 88.97% EPSS score indicating extremely high real-world exploitation probability. Affects Flash Player before 18.0.0.324/20.0.0.267, Adobe AIR before 20.0.0.233, and associated SDKs across Windows, OS X, and Linux platforms. Vendor-released patches available since December 2015. | HIGH | 8.8 | 89.0% | 193 |
KEV
|
| CVE-2025-54236 | Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction. | CRITICAL | 9.1 | 73.7% | 189 |
KEV
PoC
No patch
|
| CVE-2025-54253 | Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0). | CRITICAL | 10.0 | 12.8% | 133 |
KEV
PoC
No patch
|
| CVE-2015-2387 | The Adobe Type Manager Font Driver (ATMFD.DLL) in Windows contains a memory corruption vulnerability that allows local privilege escalation, exploited by the Duqu 2.0 malware in targeted attacks against diplomatic entities. | HIGH | 7.8 | 31.2% | 130 |
KEV
|
| CVE-2026-34621 | Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | HIGH | 8.6 | 0.2% | 118 |
KEV
PoC
No patch
|
| CVE-2025-49533 | Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that allows unauthenticated remote code execution. No user interaction is required, making this a direct attack against enterprise content management infrastructure. | CRITICAL | 9.8 | 47.0% | 96 |
No patch
|