131
CVEs
9
Critical
45
High
1
KEV
2
PoC
49
Unpatched C/H
5.3%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
9
HIGH
45
MEDIUM
73
LOW
4
Monthly CVE Trend
Affected Products (30)
Experience Manager
279
Commerce B2b
66
Magento
57
Commerce
56
Framemaker
30
Acrobat
15
Acrobat Dc
15
Acrobat Reader Dc
15
Indesign
13
Acrobat Reader
12
Illustrator
9
Pdf Xchange Editor
7
Pdf Tools
7
Substance 3d Stager
6
Connect
5
PHP
4
Prototype Pollution
3
Open Redirect
2
Experience Manager Forms
2
Incopy
2
Pdf Xchange Pro
2
Java
2
Jwt Attack
2
Experience Manager Screens
1
OpenSSL
1
Psd Tools
1
Python
1
Substance 3d Painter
1
Substance 3d Sampler
1
Imagemagick
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34621 | Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | HIGH | 8.6 | 0.2% | 118 |
KEV
PoC
No patch
|
| CVE-2026-27809 | Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2026-34659 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitr | CRITICAL | 9.6 | 1.5% | 50 |
No patch
|
| CVE-2026-27303 | Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge. | CRITICAL | 9.6 | 1.5% | 50 |
No patch
|
| CVE-2026-34615 | Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory. | CRITICAL | 9.3 | 1.4% | 48 |
No patch
|
| CVE-2026-34660 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code | CRITICAL | 9.3 | 0.5% | 47 |
No patch
|
| CVE-2026-27243 | Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2026-27245 | Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2026-27246 | DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2026-42155 | Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory. | CRITICAL | 9.3 | 0.0% | 47 |
|
| CVE-2026-40488 | Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided. | HIGH | 8.7 | 0.1% | 44 |
|
| CVE-2026-34653 | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathn | HIGH | 8.7 | 0.1% | 44 |
No patch
|
| CVE-2026-21290 | Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available. | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-34617 | Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible. | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-34686 | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XS | HIGH | 8.7 | 0.0% | 44 |
No patch
|