140
CVEs
14
Critical
34
High
1
KEV
3
PoC
42
Unpatched C/H
5.7%
Patch Rate
0.7%
Avg EPSS
Severity Breakdown
CRITICAL
14
HIGH
34
MEDIUM
88
LOW
4
Monthly CVE Trend
Affected Products (30)
Acrobat Reader Dc
1611
Acrobat Dc
1611
Acrobat
1078
Experience Manager
904
Flash Player
869
Acrobat Reader
801
Air Sdk
404
Magento
361
Air
361
Air Sdk Compiler
360
Reader
351
Flash Player Desktop Runtime
284
Commerce
159
Experience Manager Cloud Service
154
Adobe Air
102
Dimension
99
Enterprise Linux Workstation
99
Framemaker
99
Enterprise Linux Desktop
99
Bridge
95
Adobe Air Sdk
95
Enterprise Linux Server
90
Commerce B2b
88
Air Desktop Runtime
85
Photoshop Cc
77
Coldfusion
76
Opensuse
76
Indesign
73
Illustrator
72
Digital Editions
68
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-45247 | Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module. | CRITICAL | 9.3 | 0.1% | 117 |
KEV
PoC
|
| CVE-2026-53787 | Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension. | CRITICAL | 9.3 | 0.2% | 67 |
PoC
|
| CVE-2026-48286 | Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. | CRITICAL | 10.0 | 0.7% | 51 |
No patch
|
| CVE-2026-48303 | Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation. | CRITICAL | 10.0 | 0.5% | 50 |
No patch
|
| CVE-2026-47938 | Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-48358 | Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis. | CRITICAL | 10.0 | 0.9% | 50 |
No patch
|
| CVE-2026-34659 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitr | CRITICAL | 9.6 | 1.5% | 50 |
No patch
|
| CVE-2026-48359 | Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch. | CRITICAL | 9.6 | 0.5% | 48 |
No patch
|
| CVE-2026-48259 | Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation. | CRITICAL | 9.6 | 0.4% | 48 |
No patch
|
| CVE-2026-48356 | Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical. | CRITICAL | 9.6 | 28.3% | 48 |
No patch
|
| CVE-2026-34660 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code | CRITICAL | 9.3 | 0.5% | 47 |
No patch
|
| CVE-2026-42155 | Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory. | CRITICAL | 9.3 | 0.0% | 47 |
|
| CVE-2026-47988 | Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows remote unauthenticated attackers to bypass security controls and obtain unauthorized read and write access to protected data or functionality. The flaw carries a CVSS 9.1 rating, requires no user interaction, and per the CVSS vector needs no privileges (PR:N). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, unauthenticated nature makes it high priority for internet-facing storefronts. | CRITICAL | 9.1 | 0.5% | 46 |
No patch
|
| CVE-2026-47984 | Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plugin allows a remote unauthenticated attacker (PR:N/UI:N) to circumvent authorization checks and obtain unauthorized read and write access to protected resources. Rooted in an incorrect authorization flaw (CWE-863), it carries a critical 9.1 CVSS with high confidentiality and integrity impact and requires no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, no-privilege profile on a high-value e-commerce platform makes it a strong patch priority. | CRITICAL | 9.1 | 0.5% | 46 |
No patch
|
| CVE-2026-40488 | Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided. | HIGH | 8.7 | 0.1% | 44 |
|