33
CVEs
7
Critical
6
High
0
KEV
1
PoC
12
Unpatched C/H
3.0%
Patch Rate
2.8%
Avg EPSS
Severity Breakdown
CRITICAL
7
HIGH
6
MEDIUM
19
LOW
1
Monthly CVE Trend
Affected Products (30)
Acrobat Reader Dc
1611
Acrobat Dc
1611
Acrobat
1078
Experience Manager
904
Flash Player
869
Acrobat Reader
801
Air Sdk
404
Magento
361
Air
361
Air Sdk Compiler
360
Reader
351
Flash Player Desktop Runtime
284
Commerce
159
Experience Manager Cloud Service
154
Adobe Air
102
Dimension
99
Enterprise Linux Workstation
99
Framemaker
99
Enterprise Linux Desktop
99
Bridge
95
Adobe Air Sdk
95
Enterprise Linux Server
90
Commerce B2b
88
Air Desktop Runtime
85
Photoshop Cc
77
Coldfusion
76
Opensuse
76
Indesign
73
Illustrator
72
Digital Editions
68
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-48286 | Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. | CRITICAL | 10.0 | 0.7% | 51 |
No patch
|
| CVE-2026-48358 | Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis. | CRITICAL | 10.0 | 0.9% | 50 |
No patch
|
| CVE-2026-48359 | Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch. | CRITICAL | 9.6 | 0.5% | 49 |
No patch
|
| CVE-2026-48259 | Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation. | CRITICAL | 9.6 | 0.4% | 48 |
No patch
|
| CVE-2026-48356 | Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical. | CRITICAL | 9.6 | 28.3% | 48 |
No patch
|
| CVE-2026-47988 | Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows remote unauthenticated attackers to bypass security controls and obtain unauthorized read and write access to protected data or functionality. The flaw carries a CVSS 9.1 rating, requires no user interaction, and per the CVSS vector needs no privileges (PR:N). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, unauthenticated nature makes it high priority for internet-facing storefronts. | CRITICAL | 9.1 | 0.5% | 46 |
No patch
|
| CVE-2026-47984 | Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plugin allows a remote unauthenticated attacker (PR:N/UI:N) to circumvent authorization checks and obtain unauthorized read and write access to protected resources. Rooted in an incorrect authorization flaw (CWE-863), it carries a critical 9.1 CVSS with high confidentiality and integrity impact and requires no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, no-privilege profile on a high-value e-commerce platform makes it a strong patch priority. | CRITICAL | 9.1 | 0.5% | 46 |
No patch
|
| CVE-2026-48310 | Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenticated attackers traverse outside the intended directory scope to retrieve sensitive files, per Adobe advisory APSB26-74. The CVSS 3.1 score of 8.6 is elevated by a changed scope (S:C), meaning the read reaches resources beyond the vulnerable component's security authority. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. | HIGH | 8.6 | 0.6% | 44 |
No patch
|
| CVE-2026-48252 | Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthenticated attacker reach a critical function directly, bypassing a security control to gain unauthorized write access. The CVSS 8.6 rating and scope-change flag indicate impact can extend beyond the initially vulnerable component, though only integrity is affected (no confidentiality or availability loss). No public exploit identified at time of analysis, and it is not listed in CISA KEV. | HIGH | 8.6 | 0.4% | 43 |
No patch
|
| CVE-2020-9695 | Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available. | HIGH | 7.8 | 0.2% | 39 |
No patch
|
| CVE-2026-54071 | Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis. | HIGH | 7.8 | – | 39 |
PoC
|
| CVE-2026-48294 | Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. The flaw is browser-extension scoped, so impact is limited to users who have installed this Chrome extension. | HIGH | 7.4 | 1.0% | 38 |
No patch
|
| CVE-2026-47992 | SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows a high-privileged authenticated attacker to inject malicious SQL that can escalate to arbitrary code execution in the context of the current user, enabling account/session takeover. The flaw (CWE-89) is network-reachable and requires no user interaction, but demands existing high privileges per the CVSS PR:H metric. No public exploit is identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided. | HIGH | 7.2 | 19.6% | 36 |
No patch
|
| CVE-2026-47999 | Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious | MEDIUM | 4.8 | 11.5% | 36 |
No patch
|
| CVE-2026-47996 | Security feature bypass in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks plugin allows a high-privileged, authenticated attacker to defeat an authorization check (CWE-863) and gain unauthorized read access to data that should be restricted. The flaw is network-reachable with low complexity, requires no user interaction, and changes scope, so the exposure can reach beyond the initially vulnerable component. There is no public exploit identified at time of analysis and no CISA KEV listing, making exploitation currently theoretical rather than observed. | MEDIUM | 6.8 | 18.5% | 34 |
No patch
|