Adobe Based in San Jose, best known for creating Photoshop, Acrobat (PDF).
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Adobe product.
RSS Feeds for Adobe security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Adobe products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Adobe Sorted by Most Security Vulnerabilities since 2018
Adobe Experience Manager1085 vulnerabilities
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms
Adobe ColdFusion158 vulnerabilities
Web application server since 1995. Tag or script based programming language CFML.
Adobe Creative Cloud Desktop Application21 vulnerabilities
The desktop client for Adobe Creative Cloud
Recent Adobe Security Advisories
| Advisory | Title | Published |
|---|---|---|
| APSB26-05 | Security Updates Available for Adobe Commerce | APSB26-05 | March 10, 2026 |
| APSB26-18 | Security Updates Available for Adobe Illustrator | APSB26-18 | March 10, 2026 |
| APSB26-30 | Security update available for Adobe DNG Software Development Kit (SDK) | APSB26-30 | March 10, 2026 |
| APSB26-24 | Security updates available for Adobe Experience Manager | APSB26-24 | March 10, 2026 |
| APSB26-26 | Prenotification Security Advisory for Adobe Acrobat and Reader | APSB26-26 | March 10, 2026 |
| APSB26-22 | Security updates available for Adobe Substance3D - Modeler | APSB26-22 | February 10, 2026 |
| APSB26-06 | Security Updates Available for Adobe Lightroom | APSB26-06 | February 10, 2026 |
| APSB26-17 | Security Update Available for Adobe InDesign | APSB26-17 | February 10, 2026 |
| APSB26-14 | Security Updates Available for Adobe Audition | APSB26-14 | February 10, 2026 |
| APSB26-21 | Security Updates Available for Adobe Bridge | APSB26-21 | February 10, 2026 |
Known Exploited Adobe Vulnerabilities
The following Adobe vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Adobe Commerce and Magento Improper Input Validation Vulnerability |
Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. CVE-2025-54236 Exploit Probability: 71.6% |
October 24, 2025 |
| Adobe Experience Manager Forms Code Execution Vulnerability |
Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution. CVE-2025-54253 Exploit Probability: 12.8% |
October 15, 2025 |
| Adobe ColdFusion Deserialization Vulnerability |
Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution. CVE-2017-3066 Exploit Probability: 93.4% |
February 24, 2025 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. CVE-2024-20767 Exploit Probability: 94.0% |
December 16, 2024 |
| Adobe Flash Player Double Free Vulnerablity |
Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code. CVE-2014-0502 Exploit Probability: 89.0% |
September 17, 2024 |
| Adobe Flash Player Incorrect Default Permissions Vulnerability |
Adobe Flash Player contains an incorrect default permissions vulnerability in the Firefox sandbox that allows a remote attacker to execute arbitrary code via crafted SWF content. CVE-2013-0643 Exploit Probability: 57.9% |
September 17, 2024 |
| Adobe Flash Player Code Execution Vulnerability |
Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content. CVE-2013-0648 Exploit Probability: 54.7% |
September 17, 2024 |
| Adobe Flash Player Integer Underflow Vulnerablity |
Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code. CVE-2014-0497 Exploit Probability: 92.9% |
September 17, 2024 |
| Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) V |
Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution. CVE-2024-34102 Exploit Probability: 94.1% |
July 17, 2024 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-38203 Exploit Probability: 94.2% |
January 8, 2024 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-29300 Exploit Probability: 93.7% |
January 8, 2024 |
| Adobe Acrobat and Reader Use-After-Free Vulnerability |
Adobe Acrobat and Reader contains a use-after-free vulnerability that allows for code execution in the context of the current user. CVE-2023-21608 Exploit Probability: 84.1% |
October 10, 2023 |
| Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability |
Adobe Acrobat and Reader contains an out-of-bounds write vulnerability that allows for code execution. CVE-2023-26369 Exploit Probability: 0.6% |
September 14, 2023 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could result in code execution in the context of the current user. CVE-2023-26359 Exploit Probability: 85.7% |
August 21, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-29298 Exploit Probability: 94.3% |
July 20, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-38205 Exploit Probability: 94.2% |
July 20, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. CVE-2023-26360 Exploit Probability: 94.3% |
March 15, 2023 |
| Adobe Flash Player Memory Corruption Vulnerability |
Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service. CVE-2010-1297 Exploit Probability: 93.0% |
June 8, 2022 |
| Adobe Acrobat and Reader Double Free Vulnerability |
Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution. CVE-2018-4990 Exploit Probability: 51.5% |
June 8, 2022 |
| Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability |
Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service. CVE-2009-1862 Exploit Probability: 58.6% |
June 8, 2022 |
Of the known exploited vulnerabilities above, 13 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Adobe vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Adobe Vulnerabilities
Based on the current exploit probability, these Adobe vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2018-15961 | 94.4% | Adobe ColdFusion Remote Code Execution |
| 2 | CVE-2023-26360 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
| 3 | CVE-2023-29298 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
| 4 | CVE-2010-2861 | 94.3% | Adobe ColdFusion Directory Traversal Vulnerability |
| 5 | CVE-2023-38203 | 94.2% | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
| 6 | CVE-2023-38205 | 94.2% | Adobe ColdFusion Improper Access Control Vulnerability |
| 7 | CVE-2024-34102 | 94.1% | Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) V |
| 8 | CVE-2024-20767 | 94.0% | Adobe ColdFusion Improper Access Control Vulnerability |
| 9 | CVE-2008-2992 | 93.7% | Adobe Reader and Acrobat Input Validation Vulnerability |
| 10 | CVE-2023-29300 | 93.7% | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
By the Year
In 2026 there have been 155 vulnerabilities in Adobe with an average score of 6.5 out of ten. Last year, in 2025 Adobe had 817 security vulnerabilities published. Right now, Adobe is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.17.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 155 | 6.50 |
| 2025 | 817 | 6.33 |
| 2024 | 753 | 6.20 |
| 2023 | 668 | 6.35 |
| 2022 | 421 | 6.80 |
| 2021 | 323 | 6.73 |
| 2020 | 344 | 7.74 |
| 2019 | 324 | 6.72 |
| 2018 | 94 | 7.91 |
It may take a day or so for new Adobe vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-27309 | Mar 27, 2026 |
Substance3D Stager UAF CVE-2026-27309 (3.1.6)Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Stager
|
| CVE-2026-21291 | Mar 11, 2026 |
Adobe Commerce 2.4.x XSS in Stored Form FieldsAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. |
Adobe Commerce
Commerce
|
| CVE-2026-21293 | Mar 11, 2026 |
Adobe Commerce SSRF Bypass 2.4.xAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and access unauthorized resources. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21282 | Mar 11, 2026 |
Improper Input Validation in Adobe Commerce 2.4.9-alpha3 & prior leads to DoSAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing limited impact to application availability. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21286 | Mar 11, 2026 |
Adobe Commerce <=2.4.9-alpha3: Auth Bypass via Incorrect AuthorizationAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21294 | Mar 11, 2026 |
Adobe Commerce SSRF before 2.4.9-a3 & 2.4.8-p3 (Security bypass)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and bypass security controls. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21284 | Mar 11, 2026 |
Adobe Commerce <2.4.9-alpha3 XSS VulnerabilityAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. |
Adobe Commerce
Commerce
|
| CVE-2026-21297 | Mar 11, 2026 |
Adobe Commerce 2.4.x Incorrect Auth: Security Feature Bypass (CVE-2026-21297)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21359 | Mar 11, 2026 |
Adobe Commerce Incorrect Auth 2.4.9-alpha32.4.4-p16Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21309 | Mar 11, 2026 |
Adobe Commerce 2.4.x Auth Bypass (Security Feature Exemption)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21292 | Mar 11, 2026 |
Adobe Commerce XSS in Form Fields v2.4.9-alpha3 & EarlierAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. |
Adobe Commerce
Commerce
|
| CVE-2026-21310 | Mar 11, 2026 |
Adobe Commerce Improper Input Validation, pre-2.4.9-alpha3Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, with limited impact to integrity. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21285 | Mar 11, 2026 |
Adobe Commerce v2.4.x Incorrect Auth Bypass (Before 2.4.9-alpha3)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21290 | Mar 11, 2026 |
Adobe Commerce XSS in form fields pre-2.4.9 enables session hijackAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. |
Adobe Commerce
Commerce
|
| CVE-2026-21361 | Mar 11, 2026 |
Adobe Commerce 2.4.x Stored XSS before 2.4.9-alpha3 (CVE-2026-21361)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. |
Adobe Commerce
Commerce
|
| CVE-2026-21289 | Mar 11, 2026 |
Adobe Commerce <=2.4.93: Incorrect Auth Bypass (SECAUTH)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21360 | Mar 11, 2026 |
Adobe Commerce 2.4.5-P15 & earlier Path Traversal (2.4.9alpha3)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restricted path. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21296 | Mar 11, 2026 |
Adobe Commerce 2.4.9-alpha3 Incorrect Auth Bypass (Security Feature)Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-21311 | Mar 11, 2026 |
Adobe Commerce <2.4.9 stored XSS in form fieldsAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. |
Adobe Commerce
Commerce
|
| CVE-2026-21295 | Mar 11, 2026 |
Adobe Commerce 2.4.9-alpha3 & earlier: Open Redirect VulnerabilityAdobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction. |
Adobe Commerce
Commerce
|
| CVE-2026-27241 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23 XSS via Form Field InjectionAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27244 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23 XSS in Form Fields (Low-Privileged Attack)Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27255 | Mar 11, 2026 |
Adobe Experience Manager <6.5.23 Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27251 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23- Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27223 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23-or-earlier: Stored XSS (fixed 6.5.24)Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27263 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23- before 6.5.24: Stored XSS in form fields |
Experience Manager
|
| CVE-2026-27262 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23 XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27261 | Mar 11, 2026 |
Experience Manager 6.5.23 Stored XSS via form fields |
Experience Manager
|
| CVE-2026-27232 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23 XSS via Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27249 | Mar 11, 2026 |
Adobe AEM <=6.5.23 XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27247 | Mar 11, 2026 |
Adobe Experience Manager XSS in form fields (6.5.23)Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27242 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23 & earlier XSS via form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27252 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23 Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27235 | Mar 11, 2026 |
Adobe Experience Manager <6.5.23 XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27225 | Mar 11, 2026 |
Adobe Experience Manager <6.5.23: Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27260 | Mar 11, 2026 |
Adobe Experience Manager XSS via Form Fields before 6.5.23 |
Experience Manager
|
| CVE-2026-27256 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23 Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27237 | Mar 11, 2026 |
Adobe Experience Manager <6.5.23 stored XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27265 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23 & <6.5.23 Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27233 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23 Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27236 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23 and earlier XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27240 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23: Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27239 | Mar 11, 2026 |
Adobe Experience Manager 6.5.x XSS via stored script in form fields (pre 6.5.23)Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27234 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23 XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27259 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23 Stored XSS in Form Fields |
Experience Manager
|
| CVE-2026-27231 | Mar 11, 2026 |
XSS in Adobe Experience Manager 6.5.23 Form Fields - Stored Script InjectionAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27264 | Mar 11, 2026 |
AEM Stored XSS in Form Fields before 6.5.23 |
Experience Manager
|
| CVE-2026-27230 | Mar 11, 2026 |
Adobe Experience Manager 6.5.23 and earlier: Stored XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27229 | Mar 11, 2026 |
Adobe Experience Manager <=6.5.23 stored XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2026-27266 | Mar 11, 2026 |
Stored XSS in Adobe Experience Manager <=6.5.23Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|