Adobe Based in San Jose, best known for creating Photoshop, Acrobat (PDF).
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Adobe product.
RSS Feeds for Adobe security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Adobe products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Adobe Sorted by Most Security Vulnerabilities since 2018
Adobe Experience Manager903 vulnerabilities
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms
Adobe ColdFusion143 vulnerabilities
Web application server since 1995. Tag or script based programming language CFML.
Adobe Creative Cloud Desktop Application11 vulnerabilities
The desktop client for Adobe Creative Cloud
Recent Adobe Security Advisories
Advisory | Title | Published |
---|---|---|
APSB25-69 | Security updates available for Adobe ColdFusion | APSB25-69 | July 8, 2025 |
APSB25-63 | Security updates available for Adobe Dimension | APSB25-63 | July 8, 2025 |
APSB25-60 | Security Update Available for Adobe InDesign | APSB25-60 | July 8, 2025 |
APSB25-67 | Security updates available for Adobe Experience Manager | APSB25-67 | July 8, 2025 |
APSB25-65 | Security Updates Available for Adobe Illustrator | APSB25-65 | July 8, 2025 |
APSB25-68 | Security updates available for Adobe Experience Manager Screens | APSB25-68 | July 8, 2025 |
APSB25-59 | Security Update Available for Adobe InCopy | APSB25-59 | July 8, 2025 |
APSB25-56 | Security Updates Available for Adobe Audition | APSB25-56 | July 8, 2025 |
APSB25-54 | Security updates available for Adobe Substance3D - Viewer | APSB25-51 APSB25-54 | July 8, 2025 |
APSB25-61 | Security updates available for Adobe Connect | APSB25-61 | July 8, 2025 |
Known Exploited Adobe Vulnerabilities
The following Adobe vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
Adobe ColdFusion Deserialization Vulnerability |
Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution. CVE-2017-3066 Exploit Probability: 93.4% |
February 24, 2025 |
Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. CVE-2024-20767 Exploit Probability: 94.1% |
December 16, 2024 |
Adobe Flash Player Double Free Vulnerablity |
Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code. CVE-2014-0502 Exploit Probability: 86.3% |
September 17, 2024 |
Adobe Flash Player Incorrect Default Permissions Vulnerability |
Adobe Flash Player contains an incorrect default permissions vulnerability in the Firefox sandbox that allows a remote attacker to execute arbitrary code via crafted SWF content. CVE-2013-0643 Exploit Probability: 36.3% |
September 17, 2024 |
Adobe Flash Player Code Execution Vulnerability |
Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content. CVE-2013-0648 Exploit Probability: 36.9% |
September 17, 2024 |
Adobe Flash Player Integer Underflow Vulnerablity |
Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code. CVE-2014-0497 Exploit Probability: 93.2% |
September 17, 2024 |
Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) V |
Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution. CVE-2024-34102 Exploit Probability: 94.4% |
July 17, 2024 |
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-38203 Exploit Probability: 94.3% |
January 8, 2024 |
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-29300 Exploit Probability: 92.9% |
January 8, 2024 |
Adobe Acrobat and Reader Use-After-Free Vulnerability |
Adobe Acrobat and Reader contains a use-after-free vulnerability that allows for code execution in the context of the current user. CVE-2023-21608 Exploit Probability: 89.0% |
October 10, 2023 |
Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability |
Adobe Acrobat and Reader contains an out-of-bounds write vulnerability that allows for code execution. CVE-2023-26369 Exploit Probability: 0.4% |
September 14, 2023 |
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could result in code execution in the context of the current user. CVE-2023-26359 Exploit Probability: 87.8% |
August 21, 2023 |
Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-29298 Exploit Probability: 94.3% |
July 20, 2023 |
Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-38205 Exploit Probability: 94.3% |
July 20, 2023 |
Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. CVE-2023-26360 Exploit Probability: 94.3% |
March 15, 2023 |
Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability |
Adobe Acrobat and Reader contains an array boundary issue in Universal 3D (U3D) support that could lead to remote code execution. CVE-2009-3953 Exploit Probability: 90.5% |
June 8, 2022 |
Adobe Flash Player Memory Corruption Vulnerability |
Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service. CVE-2010-1297 Exploit Probability: 93.6% |
June 8, 2022 |
Adobe Acrobat and Reader Unspecified Vulnerability |
Adobe Acrobat and Reader contains an unespecified vulnerability described as a design flaw which could allow a specially crafted file to be printed silently an arbitrary number of times. CVE-2008-0655 Exploit Probability: 71.0% |
June 8, 2022 |
Adobe Acrobat and Reader Double Free Vulnerability |
Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution. CVE-2018-4990 Exploit Probability: 60.1% |
June 8, 2022 |
Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability |
Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service. CVE-2009-1862 Exploit Probability: 58.0% |
June 8, 2022 |
Of the known exploited vulnerabilities above, 14 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Adobe vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Adobe Vulnerabilities
Based on the current exploit probability, these Adobe vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
Rank | CVE | EPSS | Vulnerability |
---|---|---|---|
1 | CVE-2018-15961 | 94.4% | Adobe ColdFusion Remote Code Execution |
2 | CVE-2024-34102 | 94.4% | Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) V |
3 | CVE-2010-2861 | 94.3% | Adobe ColdFusion Directory Traversal Vulnerability |
4 | CVE-2023-26360 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
5 | CVE-2023-29298 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
6 | CVE-2023-38205 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
7 | CVE-2023-38203 | 94.3% | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
8 | CVE-2024-20767 | 94.1% | Adobe ColdFusion Improper Access Control Vulnerability |
9 | CVE-2009-0927 | 93.7% | Adobe Reader and Adobe Acrobat Stack-Based Buffer Overflow Vulnerability |
10 | CVE-2010-1297 | 93.6% | Adobe Flash Player Memory Corruption Vulnerability |
By the Year
In 2025 there have been 520 vulnerabilities in Adobe with an average score of 6.3 out of ten. Last year, in 2024 Adobe had 747 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Adobe in 2025 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.14.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 520 | 6.34 |
2024 | 747 | 6.20 |
2023 | 590 | 6.29 |
2022 | 421 | 6.80 |
2021 | 319 | 6.79 |
2020 | 307 | 7.47 |
2019 | 46 | 7.39 |
2018 | 94 | 7.64 |
It may take a day or so for new Adobe vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe Security Vulnerabilities
InCopy versions 20.3, 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability
CVE-2025-47097
7.8 - High
- July 08, 2025
InCopy versions 20.3, 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Integer underflow
InCopy versions 20.3, 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability
CVE-2025-47098
7.8 - High
- July 08, 2025
InCopy versions 20.3, 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Access of Uninitialized Pointer
InCopy versions 20.3, 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-47099
7.8 - High
- July 08, 2025
InCopy versions 20.3, 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a NULL Pointer Dereference vulnerability
CVE-2025-47119
5.5 - Medium
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing a disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
NULL Pointer Dereference
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Stack-based Buffer Overflow vulnerability
CVE-2025-47120
5.5 - Medium
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Stack Overflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-47133
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-47132
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-47131
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability
CVE-2025-47130
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Integer underflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-47129
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability
CVE-2025-47128
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Integer underflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-47127
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-47126
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-47125
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-47124
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-47123
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-47122
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Access of Uninitialized Pointer vulnerability
CVE-2025-47121
7.8 - High
- July 08, 2025
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Access of Uninitialized Pointer
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a NULL Pointer Dereference vulnerability
CVE-2025-49524
5.5 - Medium
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing a disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
NULL Pointer Dereference
Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability
CVE-2025-49533
9.8 - Critical
- July 08, 2025
Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.
Marshaling, Unmarshaling
Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability
CVE-2025-49534
5.4 - Medium
- July 08, 2025
Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Scope is changed.
XSS
Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability
CVE-2025-49547
5.4 - Medium
- July 08, 2025
Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Scope is changed.
XSS
InDesign Desktop versions 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability
CVE-2025-47136
7.8 - High
- July 08, 2025
InDesign Desktop versions 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Integer underflow
InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-43591
7.8 - High
- July 08, 2025
InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
InDesign Desktop versions 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability
CVE-2025-43592
7.8 - High
- July 08, 2025
InDesign Desktop versions 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Access of Uninitialized Pointer
InDesign Desktop versions 19.5.3 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-43594
7.8 - High
- July 08, 2025
InDesign Desktop versions 19.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-47103
7.8 - High
- July 08, 2025
InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability
CVE-2025-47134
7.8 - High
- July 08, 2025
InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Heap-based Buffer Overflow
Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability
CVE-2025-27203
9.6 - Critical
- July 08, 2025
Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed.
Marshaling, Unmarshaling
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-49526
7.8 - High
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability
CVE-2025-49527
7.8 - High
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Stack Overflow
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Access of Uninitialized Pointer vulnerability
CVE-2025-49529
7.8 - High
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Access of Uninitialized Pointer
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability
CVE-2025-49530
7.8 - High
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Memory Corruption
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability
CVE-2025-49528
7.8 - High
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Stack Overflow
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability
CVE-2025-49531
7.8 - High
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Integer Overflow or Wraparound
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability
CVE-2025-49532
7.8 - High
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Integer underflow
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability
CVE-2025-30313
5.5 - Medium
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Out-of-bounds Read
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability
CVE-2025-49525
5.5 - Medium
- July 08, 2025
Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Out-of-bounds Read
Substance3D - Stager versions 3.1.2 and earlier are affected by an out-of-bounds read vulnerability
CVE-2025-27165
5.5 - Medium
- July 08, 2025
Substance3D - Stager versions 3.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Out-of-bounds Read
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability
CVE-2025-49546
4.5 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability to disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses.
Authorization
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability
CVE-2025-49545
6.2 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
SSRF
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
CVE-2025-49544
6.8 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.
XXE
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
CVE-2025-49535
9.3 - Critical
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
XXE
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability
CVE-2025-49536
7.3 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
AuthZ
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability
CVE-2025-49543
4.3 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.
XSS
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
CVE-2025-49539
4.5 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
XXE
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability
CVE-2025-49538
7.4 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
aka Blind XPath Injection
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability
CVE-2025-49537
7.9 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
Shell injection
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability
CVE-2025-49551
8.8 - High
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
Use of Hard-coded Credentials
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability
CVE-2025-49542
5.2 - Medium
- July 08, 2025
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser, scope is changed. The vulnerable component is restricted to internal IP addresses.
XSS