447
CVEs
13
Critical
99
High
3
KEV
5
PoC
101
Unpatched C/H
4.5%
Patch Rate
0.4%
Avg EPSS
Severity Breakdown
CRITICAL
13
HIGH
99
MEDIUM
328
LOW
7
Monthly CVE Trend
Affected Products (30)
Experience Manager
279
Commerce B2b
66
Magento
57
Commerce
56
Framemaker
30
Acrobat
15
Acrobat Reader Dc
15
Acrobat Dc
15
Indesign
13
Acrobat Reader
12
Illustrator
9
Pdf Xchange Editor
7
Pdf Tools
7
Substance 3d Stager
6
Connect
5
PHP
4
Prototype Pollution
3
Java
2
Experience Manager Forms
2
Pdf Xchange Pro
2
Incopy
2
Open Redirect
2
Jwt Attack
2
Imagemagick
1
Experience Manager Screens
1
OpenSSL
1
Substance 3d Sampler
1
Substance 3d Painter
1
Python
1
Psd Tools
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-54236 | Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction. | CRITICAL | 9.1 | 73.7% | 189 |
KEV
PoC
No patch
|
| CVE-2025-54253 | Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0). | CRITICAL | 10.0 | 12.8% | 133 |
KEV
PoC
No patch
|
| CVE-2026-34621 | Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | HIGH | 8.6 | 0.2% | 118 |
KEV
PoC
No patch
|
| CVE-2025-49533 | Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that allows unauthenticated remote code execution. No user interaction is required, making this a direct attack against enterprise content management infrastructure. | CRITICAL | 9.8 | 47.0% | 96 |
No patch
|
| CVE-2026-27809 | Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2025-27203 | Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution | CRITICAL | 9.6 | 14.7% | 63 |
No patch
|
| CVE-2026-34659 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitr | CRITICAL | 9.6 | 1.5% | 50 |
No patch
|
| CVE-2026-27303 | Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge. | CRITICAL | 9.6 | 1.5% | 50 |
No patch
|
| CVE-2026-34615 | Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory. | CRITICAL | 9.3 | 1.4% | 48 |
No patch
|
| CVE-2026-34660 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code | CRITICAL | 9.3 | 0.5% | 47 |
No patch
|
| CVE-2026-27243 | Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2026-27245 | Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2026-27246 | DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2026-42155 | Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory. | CRITICAL | 9.3 | 0.0% | 47 |
|
| CVE-2025-60991 | A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter. | HIGH | 8.8 | 0.0% | 44 |
No patch
|