397
CVEs
6
Critical
74
High
2
KEV
5
PoC
72
Unpatched C/H
3.5%
Patch Rate
0.5%
Avg EPSS
Severity Breakdown
CRITICAL
6
HIGH
74
MEDIUM
313
LOW
4
Monthly CVE Trend
Affected Products (30)
Experience Manager
281
Commerce B2b
66
Magento
57
Commerce
56
Framemaker
30
Use After Free
17
Acrobat Reader Dc
15
Acrobat
15
Acrobat Dc
15
Memory Corruption
14
Indesign
13
Heap Overflow
12
Acrobat Reader
12
Illustrator
9
Pdf Tools
7
Pdf Xchange Editor
7
Substance 3d Stager
6
Null Pointer Dereference
5
Connect
5
Integer Overflow
4
PHP
3
Stack Overflow
3
Incopy
2
Deserialization
2
Pdf Xchange Pro
2
Experience Manager Forms
2
OpenSSL
1
Substance 3d Sampler
1
Open Redirect
1
Prototype Pollution
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-54236 | Adobe Commerce (Magento) contains an improper input validation vulnerability (CVE-2025-54236, CVSS 9.1) that enables unauthenticated session takeover with high confidentiality and integrity impact. KEV-listed with EPSS 73.7% and public PoC, this vulnerability threatens every Adobe Commerce storefront, potentially exposing customer payment data, order information, and administrative access to thousands of e-commerce sites. | CRITICAL | 9.1 | 73.7% | 189 |
KEV
PoC
No patch
|
| CVE-2025-54253 | Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0). | CRITICAL | 10.0 | 12.8% | 133 |
KEV
PoC
No patch
|
| CVE-2025-49533 | Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that allows unauthenticated remote code execution. No user interaction is required, making this a direct attack against enterprise content management infrastructure. | CRITICAL | 9.8 | 47.0% | 96 |
No patch
|
| CVE-2026-27809 | Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2025-27203 | Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed. | CRITICAL | 9.6 | 14.7% | 63 |
No patch
|
| CVE-2025-60991 | A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-46840 | CVE-2025-46840 is an Improper Authorization vulnerability in Adobe Experience Manager (AEM) versions 6.5.22 and earlier that allows low-privileged attackers to escalate privileges and bypass security controls, potentially achieving session takeover. The vulnerability requires user interaction and has a CVSS score of 8.7 with high confidentiality and integrity impact. While no active exploitation in the wild (KEV status) or public proof-of-concept is currently documented, the network-accessible attack vector and low attack complexity combined with privilege escalation capabilities make this a high-priority patch candidate for organizations running affected AEM instances. | HIGH | 8.7 | 0.1% | 44 |
No patch
|
| CVE-2025-46837 | Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a reflected Cross-Site Scripting (XSS) vulnerability in form field handling that allows low-privileged attackers to inject malicious JavaScript. When a victim visits a page containing the vulnerable field with attacker-controlled input, the script executes in their browser context, enabling session hijacking and credential theft. The vulnerability has a CVSS score of 8.7 (High) and requires user interaction but no special privileges beyond basic AEM access. | HIGH | 8.7 | 0.1% | 44 |
No patch
|
| CVE-2026-21290 | Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available. | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-34621 | Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | HIGH | 8.6 | 0.2% | 43 |
PoC
No patch
|
| CVE-2026-21280 | Arbitrary code execution in Adobe Illustrator 29.8.3 and 30.0 through an untrusted search path vulnerability that allows attackers to redirect application resource lookups to malicious executables. Exploitation requires local access and user interaction to open a crafted file, but executes with full user privileges and can affect the entire system. No patch is currently available. | HIGH | 8.6 | 0.0% | 43 |
No patch
|
| CVE-2026-21333 | Arbitrary code execution in Adobe Illustrator versions 29.8.4 and 30.1 and earlier via an untrusted search path vulnerability allows local attackers to execute malicious code with user privileges. The vulnerability requires a victim to open a specially crafted file, making it exploitable through social engineering or malicious file distribution. No patch is currently available. | HIGH | 8.6 | 0.0% | 43 |
No patch
|
| CVE-2025-47110 | Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVSS 8.4) in form field validation that allows high-privileged attackers to inject malicious JavaScript into the application. When other high-privileged users view pages containing the injected payload, the malicious script executes in their browser context, potentially compromising confidentiality, integrity, and availability across multiple privileged accounts. The vulnerability requires high privileges to exploit but affects other high-privileged users, making it a significant concern in multi-admin environments. | HIGH | 8.4 | 0.2% | 42 |
|
| CVE-2025-43585 | Adobe Commerce versions 2.4.8 and earlier contain an improper authorization vulnerability (CWE-285) that allows unauthenticated attackers to bypass security features and gain unauthorized access to sensitive functionality. This vulnerability has a high integrity impact and can be exploited remotely without user interaction, making it a critical priority for Adobe Commerce administrators. The 8.2 CVSS score combined with the network-accessible attack vector and lack of authentication requirements indicates significant real-world risk. | HIGH | 8.2 | 0.1% | 41 |
|
| CVE-2025-43586 | A remote code execution vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation. | HIGH | 8.1 | 0.1% | 41 |
No patch
|