Skip to main content

Adobe

Vendor security scorecard – 140 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 373
140
CVEs
14
Critical
34
High
1
KEV
3
PoC
42
Unpatched C/H
5.7%
Patch Rate
0.7%
Avg EPSS

Severity Breakdown

CRITICAL
14
HIGH
34
MEDIUM
88
LOW
4

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-45247 Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module. CRITICAL 9.3 0.1% 117
KEV PoC
CVE-2026-53787 Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension. CRITICAL 9.3 0.2% 67
PoC
CVE-2026-48286 Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. CRITICAL 10.0 0.7% 51
No patch
CVE-2026-48303 Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation. CRITICAL 10.0 0.5% 50
No patch
CVE-2026-47938 Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers. CRITICAL 10.0 0.1% 50
No patch
CVE-2026-48358 Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis. CRITICAL 10.0 0.9% 50
No patch
CVE-2026-34659 Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitr CRITICAL 9.6 1.5% 50
No patch
CVE-2026-48359 Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch. CRITICAL 9.6 0.5% 48
No patch
CVE-2026-48259 Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation. CRITICAL 9.6 0.4% 48
No patch
CVE-2026-48356 Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical. CRITICAL 9.6 28.3% 48
No patch
CVE-2026-34660 Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code CRITICAL 9.3 0.5% 47
No patch
CVE-2026-42155 Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory. CRITICAL 9.3 0.0% 47
CVE-2026-47988 Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows remote unauthenticated attackers to bypass security controls and obtain unauthorized read and write access to protected data or functionality. The flaw carries a CVSS 9.1 rating, requires no user interaction, and per the CVSS vector needs no privileges (PR:N). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, unauthenticated nature makes it high priority for internet-facing storefronts. CRITICAL 9.1 0.5% 46
No patch
CVE-2026-47984 Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plugin allows a remote unauthenticated attacker (PR:N/UI:N) to circumvent authorization checks and obtain unauthorized read and write access to protected resources. Rooted in an incorrect authorization flaw (CWE-863), it carries a critical 9.1 CVSS with high confidentiality and integrity impact and requires no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, no-privilege profile on a high-value e-commerce platform makes it a strong patch priority. CRITICAL 9.1 0.5% 46
No patch
CVE-2026-40488 Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided. HIGH 8.7 0.1% 44

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy