470
CVEs
7
Critical
99
High
2
KEV
5
PoC
86
Unpatched C/H
10.6%
Patch Rate
0.5%
Avg EPSS
Severity Breakdown
CRITICAL
7
HIGH
99
MEDIUM
355
LOW
9
Monthly CVE Trend
Affected Products (30)
Experience Manager
281
Commerce B2b
66
Magento
57
Commerce
56
Framemaker
30
Use After Free
17
Acrobat Reader Dc
15
Acrobat
15
Acrobat Dc
15
Memory Corruption
14
Indesign
13
Heap Overflow
12
Acrobat Reader
12
Illustrator
9
Pdf Tools
7
Pdf Xchange Editor
7
Substance 3d Stager
6
Null Pointer Dereference
5
Connect
5
Integer Overflow
4
PHP
3
Stack Overflow
3
Incopy
2
Deserialization
2
Pdf Xchange Pro
2
Experience Manager Forms
2
OpenSSL
1
Substance 3d Sampler
1
Open Redirect
1
Prototype Pollution
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-54236 | Adobe Commerce (Magento) contains an improper input validation vulnerability (CVE-2025-54236, CVSS 9.1) that enables unauthenticated session takeover with high confidentiality and integrity impact. KEV-listed with EPSS 73.7% and public PoC, this vulnerability threatens every Adobe Commerce storefront, potentially exposing customer payment data, order information, and administrative access to thousands of e-commerce sites. | CRITICAL | 9.1 | 73.7% | 189 |
KEV
PoC
No patch
|
| CVE-2025-54253 | Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0). | CRITICAL | 10.0 | 12.8% | 133 |
KEV
PoC
No patch
|
| CVE-2025-49533 | Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that allows unauthenticated remote code execution. No user interaction is required, making this a direct attack against enterprise content management infrastructure. | CRITICAL | 9.8 | 47.0% | 96 |
No patch
|
| CVE-2026-27809 | Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2025-27203 | Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed. | CRITICAL | 9.6 | 14.7% | 63 |
No patch
|
| CVE-2025-24434 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.1 | 0.2% | 46 |
|
| CVE-2025-24410 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 1.4% | 45 |
|
| CVE-2025-24412 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.9% | 44 |
|
| CVE-2025-24413 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.9% | 44 |
|
| CVE-2025-24414 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.9% | 44 |
|
| CVE-2025-24415 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.9% | 44 |
|
| CVE-2025-24416 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.9% | 44 |
|
| CVE-2025-24417 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.9% | 44 |
|
| CVE-2025-60991 | A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-46840 | CVE-2025-46840 is an Improper Authorization vulnerability in Adobe Experience Manager (AEM) versions 6.5.22 and earlier that allows low-privileged attackers to escalate privileges and bypass security controls, potentially achieving session takeover. The vulnerability requires user interaction and has a CVSS score of 8.7 with high confidentiality and integrity impact. While no active exploitation in the wild (KEV status) or public proof-of-concept is currently documented, the network-accessible attack vector and low attack complexity combined with privilege escalation capabilities make this a high-priority patch candidate for organizations running affected AEM instances. | HIGH | 8.7 | 0.1% | 44 |
No patch
|