Skip to main content

Adobe

Vendor security scorecard – 289 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 855
289
CVEs
22
Critical
81
High
4
KEV
11
PoC
91
Unpatched C/H
6.2%
Patch Rate
0.7%
Avg EPSS

Severity Breakdown

CRITICAL
22
HIGH
81
MEDIUM
178
LOW
8

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2025-54236 Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction. CRITICAL 9.1 73.7% 204
KEV PoC No patch
CVE-2025-54253 Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0). CRITICAL 10.0 12.8% 133
KEV PoC No patch
CVE-2026-34621 Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. HIGH 8.6 0.2% 118
KEV PoC No patch
CVE-2026-45247 Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module. CRITICAL 9.3 0.1% 117
KEV PoC
CVE-2026-53787 Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension. CRITICAL 9.3 0.2% 67
PoC
CVE-2026-27809 Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available. CRITICAL 9.1 0.0% 66
PoC
CVE-2025-54249 Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. MEDIUM 6.5 6.3% 59
PoC No patch
CVE-2026-48286 Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. CRITICAL 10.0 0.7% 51
No patch
CVE-2026-48303 Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation. CRITICAL 10.0 0.5% 50
No patch
CVE-2026-47938 Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers. CRITICAL 10.0 0.1% 50
No patch
CVE-2026-48358 Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis. CRITICAL 10.0 0.9% 50
No patch
CVE-2025-54251 Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. MEDIUM 4.3 8.4% 50
PoC No patch
CVE-2026-34659 Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitr CRITICAL 9.6 1.5% 50
No patch
CVE-2026-27303 Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge. CRITICAL 9.6 1.5% 50
No patch
CVE-2026-48359 Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch. CRITICAL 9.6 0.5% 49
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy