239
CVEs
20
Critical
61
High
2
KEV
5
PoC
73
Unpatched C/H
4.2%
Patch Rate
0.4%
Avg EPSS
Severity Breakdown
CRITICAL
20
HIGH
61
MEDIUM
153
LOW
5
Monthly CVE Trend
Affected Products (30)
Acrobat Reader Dc
1611
Acrobat Dc
1611
Acrobat
1078
Experience Manager
904
Flash Player
869
Acrobat Reader
801
Air Sdk
404
Magento
361
Air
361
Air Sdk Compiler
360
Reader
351
Flash Player Desktop Runtime
284
Commerce
159
Experience Manager Cloud Service
154
Adobe Air
102
Dimension
99
Enterprise Linux Workstation
99
Framemaker
99
Enterprise Linux Desktop
99
Bridge
95
Adobe Air Sdk
95
Enterprise Linux Server
90
Commerce B2b
88
Air Desktop Runtime
85
Photoshop Cc
77
Coldfusion
76
Opensuse
76
Indesign
73
Illustrator
72
Digital Editions
68
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34621 | Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | HIGH | 8.6 | 0.2% | 118 |
KEV
PoC
No patch
|
| CVE-2026-45247 | Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module. | CRITICAL | 9.3 | 0.1% | 117 |
KEV
PoC
|
| CVE-2026-53787 | Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension. | CRITICAL | 9.3 | 0.2% | 67 |
PoC
|
| CVE-2026-27809 | Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2026-48286 | Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. | CRITICAL | 10.0 | 0.7% | 51 |
No patch
|
| CVE-2026-48303 | Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation. | CRITICAL | 10.0 | 0.5% | 50 |
No patch
|
| CVE-2026-47938 | Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-48358 | Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis. | CRITICAL | 10.0 | 0.9% | 50 |
No patch
|
| CVE-2026-34659 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitr | CRITICAL | 9.6 | 1.5% | 50 |
No patch
|
| CVE-2026-27303 | Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge. | CRITICAL | 9.6 | 1.5% | 50 |
No patch
|
| CVE-2026-48359 | Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch. | CRITICAL | 9.6 | 0.5% | 49 |
No patch
|
| CVE-2026-48259 | Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation. | CRITICAL | 9.6 | 0.4% | 48 |
No patch
|
| CVE-2026-48356 | Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical. | CRITICAL | 9.6 | 28.3% | 48 |
No patch
|
| CVE-2026-34615 | Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory. | CRITICAL | 9.3 | 1.4% | 48 |
No patch
|
| CVE-2026-34660 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code | CRITICAL | 9.3 | 0.5% | 47 |
No patch
|