Adobe Based in San Jose, best known for creating Photoshop, Acrobat (PDF).
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Adobe product.
RSS Feeds for Adobe security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Adobe products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Adobe Sorted by Most Security Vulnerabilities since 2018
Adobe Experience Manager1044 vulnerabilities
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms
Adobe ColdFusion158 vulnerabilities
Web application server since 1995. Tag or script based programming language CFML.
Adobe Creative Cloud Desktop Application13 vulnerabilities
The desktop client for Adobe Creative Cloud
Recent Adobe Security Advisories
| Advisory | Title | Published |
|---|---|---|
| APSB26-11 | Security updates available for Adobe Substance 3D - Sampler | APSB26-11 | January 14, 2026 |
| APSB26-02 | Security Update Available for Adobe InDesign | APSB26-02 | January 13, 2026 |
| APSB26-12 | Security updates available for Adobe ColdFusion | APSB26-12 | January 13, 2026 |
| APSB26-08 | Security updates available for Adobe Substance3D - Modeler | APSB26-08 | January 13, 2026 |
| APSB26-04 | Security Update Available for Adobe InCopy | APSB26-04 | January 13, 2026 |
| APSB26-01 | Security update available for Adobe Dreamweaver | APSB26-01 | January 13, 2026 |
| APSB26-07 | Security Updates Available for Adobe Bridge | APSB26-07 | January 13, 2026 |
| APSB26-03 | Security Updates Available for Adobe Illustrator | APSB26-03 | January 13, 2026 |
| APSB25-115 | Security updates available for Adobe Experience Manager | APSB25-115 | December 9, 2025 |
| APSB25-120 | Security update available for Adobe Creative Cloud Desktop Application | APSB25-120 | December 9, 2025 |
Known Exploited Adobe Vulnerabilities
The following Adobe vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Adobe Commerce and Magento Improper Input Validation Vulnerability |
Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. CVE-2025-54236 Exploit Probability: 61.7% |
October 24, 2025 |
| Adobe Experience Manager Forms Code Execution Vulnerability |
Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution. CVE-2025-54253 Exploit Probability: 58.7% |
October 15, 2025 |
| Adobe ColdFusion Deserialization Vulnerability |
Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution. CVE-2017-3066 Exploit Probability: 93.4% |
February 24, 2025 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. CVE-2024-20767 Exploit Probability: 94.2% |
December 16, 2024 |
| Adobe Flash Player Double Free Vulnerablity |
Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code. CVE-2014-0502 Exploit Probability: 90.1% |
September 17, 2024 |
| Adobe Flash Player Incorrect Default Permissions Vulnerability |
Adobe Flash Player contains an incorrect default permissions vulnerability in the Firefox sandbox that allows a remote attacker to execute arbitrary code via crafted SWF content. CVE-2013-0643 Exploit Probability: 65.3% |
September 17, 2024 |
| Adobe Flash Player Code Execution Vulnerability |
Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content. CVE-2013-0648 Exploit Probability: 65.9% |
September 17, 2024 |
| Adobe Flash Player Integer Underflow Vulnerablity |
Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code. CVE-2014-0497 Exploit Probability: 93.3% |
September 17, 2024 |
| Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) V |
Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution. CVE-2024-34102 Exploit Probability: 94.1% |
July 17, 2024 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-38203 Exploit Probability: 94.3% |
January 8, 2024 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. CVE-2023-29300 Exploit Probability: 93.8% |
January 8, 2024 |
| Adobe Acrobat and Reader Use-After-Free Vulnerability |
Adobe Acrobat and Reader contains a use-after-free vulnerability that allows for code execution in the context of the current user. CVE-2023-21608 Exploit Probability: 83.9% |
October 10, 2023 |
| Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability |
Adobe Acrobat and Reader contains an out-of-bounds write vulnerability that allows for code execution. CVE-2023-26369 Exploit Probability: 0.6% |
September 14, 2023 |
| Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could result in code execution in the context of the current user. CVE-2023-26359 Exploit Probability: 86.8% |
August 21, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-29298 Exploit Probability: 94.3% |
July 20, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass. CVE-2023-38205 Exploit Probability: 94.3% |
July 20, 2023 |
| Adobe ColdFusion Improper Access Control Vulnerability |
Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. CVE-2023-26360 Exploit Probability: 94.3% |
March 15, 2023 |
| Adobe Flash Player Memory Corruption Vulnerability |
Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service. CVE-2010-1297 Exploit Probability: 93.4% |
June 8, 2022 |
| Adobe Acrobat and Reader Double Free Vulnerability |
Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution. CVE-2018-4990 Exploit Probability: 62.0% |
June 8, 2022 |
| Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability |
Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service. CVE-2009-1862 Exploit Probability: 58.6% |
June 8, 2022 |
Of the known exploited vulnerabilities above, 13 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 6 known exploited Adobe vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Adobe Vulnerabilities
Based on the current exploit probability, these Adobe vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2018-15961 | 94.4% | Adobe ColdFusion Remote Code Execution |
| 2 | CVE-2023-26360 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
| 3 | CVE-2023-38205 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
| 4 | CVE-2023-29298 | 94.3% | Adobe ColdFusion Improper Access Control Vulnerability |
| 5 | CVE-2023-38203 | 94.3% | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
| 6 | CVE-2010-2861 | 94.2% | Adobe ColdFusion Directory Traversal Vulnerability |
| 7 | CVE-2024-20767 | 94.2% | Adobe ColdFusion Improper Access Control Vulnerability |
| 8 | CVE-2024-34102 | 94.1% | Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) V |
| 9 | CVE-2018-15982 | 93.8% | Adobe Flash Player Use-After-Free Vulnerability |
| 10 | CVE-2023-29300 | 93.8% | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
By the Year
In 2026 there have been 25 vulnerabilities in Adobe with an average score of 7.3 out of ten. Last year, in 2025 Adobe had 817 security vulnerabilities published. Right now, Adobe is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.98.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 25 | 7.32 |
| 2025 | 817 | 6.33 |
| 2024 | 753 | 6.20 |
| 2023 | 668 | 6.35 |
| 2022 | 421 | 6.80 |
| 2021 | 319 | 6.78 |
| 2020 | 307 | 7.47 |
| 2019 | 46 | 7.39 |
| 2018 | 94 | 7.60 |
It may take a day or so for new Adobe vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-21301 | Jan 13, 2026 |
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerabilitySubstance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Modeler
|
| CVE-2026-21299 | Jan 13, 2026 |
Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerabilitySubstance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Modeler
|
| CVE-2026-21298 | Jan 13, 2026 |
Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerabilitySubstance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Modeler
|
| CVE-2026-21300 | Jan 13, 2026 |
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerabilitySubstance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Modeler
|
| CVE-2026-21303 | Jan 13, 2026 |
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposureSubstance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Modeler
|
| CVE-2026-21302 | Jan 13, 2026 |
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposureSubstance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Modeler
|
| CVE-2026-21307 | Jan 13, 2026 |
Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerabilitySubstance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Designer
|
| CVE-2026-21308 | Jan 13, 2026 |
Substance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposureSubstance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Designer
|
| CVE-2026-21306 | Jan 13, 2026 |
Substance3D - Sampler versions 5.1.0 and earlier are affected by an out-of-bounds write vulnerabilitySubstance3D - Sampler versions 5.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Sampler
|
| CVE-2026-21287 | Jan 13, 2026 |
Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerabilitySubstance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Stager
|
| CVE-2026-21305 | Jan 13, 2026 |
Substance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerabilitySubstance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Substance 3d Painter
|
| CVE-2026-21283 | Jan 13, 2026 |
Bridge versions 15.1.2, 16.0 and earlier are affected by a Heap-based Buffer Overflow vulnerabilityBridge versions 15.1.2, 16.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Bridge
|
| CVE-2026-21281 | Jan 13, 2026 |
InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerabilityInCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Incopy
|
| CVE-2026-21280 | Jan 13, 2026 |
Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerabilityIllustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. |
Illustrator
|
| CVE-2026-21288 | Jan 13, 2026 |
Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerabilityIllustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Illustrator
|
| CVE-2026-21277 | Jan 13, 2026 |
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerabilityInDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
InDesign
|
| CVE-2026-21304 | Jan 13, 2026 |
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerabilityInDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
InDesign
|
| CVE-2026-21275 | Jan 13, 2026 |
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerabilityInDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
InDesign
|
| CVE-2026-21278 | Jan 13, 2026 |
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposureInDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
InDesign
|
| CVE-2026-21276 | Jan 13, 2026 |
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerabilityInDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
InDesign
|
| CVE-2026-21267 | Jan 13, 2026 |
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerabilityDreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. |
Dreamweaver
|
| CVE-2026-21271 | Jan 13, 2026 |
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerabilityDreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. |
Dreamweaver
|
| CVE-2026-21274 | Jan 13, 2026 |
Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerabilityDreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
Dreamweaver
|
| CVE-2026-21272 | Jan 13, 2026 |
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerabilityDreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. |
Dreamweaver
|
| CVE-2026-21268 | Jan 13, 2026 |
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerabilityDreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. |
Dreamweaver
|
| CVE-2025-64622 | Dec 10, 2025 |
AEM <=6.5.23: Stored XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64582 | Dec 10, 2025 |
Adobe Experience Manager <=6.5.23: Stored XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64547 | Dec 10, 2025 |
Adobe Experience Manager 6.5.23 & earlier: Stored XSS via Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64833 | Dec 10, 2025 |
Adobe Experience Manager 6.5.23 or earlier: Stored XSS in form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64613 | Dec 10, 2025 |
Adobe Experience Manager XSS via Form Fields (before 6.5.23)Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64829 | Dec 10, 2025 |
Adobe Experience Manager XSS via Stored Form Field <=6.5.23Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64553 | Dec 10, 2025 |
Adobe Experience Manager <6.5.23 Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64545 | Dec 10, 2025 |
Adobe Experience Manager <=6.5.23 DOM XSS via Crafted URLAdobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. |
Experience Manager
|
| CVE-2025-64546 | Dec 10, 2025 |
Adobe Experience Manager <=6.5.23 XSS in Form Fields (CVE-2025-64546)Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64537 | Dec 10, 2025 |
Adobe Experience Manager <=6.5.23 DOM XSS -> arbitrary code execAdobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. |
Experience Manager
|
| CVE-2025-64574 | Dec 10, 2025 |
Adobe Experience Manager before 6.5.23 Stored XSS in Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64550 | Dec 10, 2025 |
Adobe Experience Manager 6.5.23 DOM XSS via crafted URLAdobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. |
Experience Manager
|
| CVE-2025-64827 | Dec 10, 2025 |
Adobe Experience Manager <=6.5.23 XSS via Form Field InjectionAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64602 | Dec 10, 2025 |
Adobe Experience Manager <=6.5.23 XSS: Stored Form Field JS InjectionAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64593 | Dec 10, 2025 |
Adobe Experience Manager <=6.5.23 Stored XSSAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64539 | Dec 10, 2025 |
Adobe Experience Manager <6.5.23: DOM XSS in 6.5.23 and earlierAdobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. |
Experience Manager
|
| CVE-2025-64887 | Dec 10, 2025 |
AEM 6.5.23 DOM-XSS via crafted URLAdobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. |
Experience Manager
|
| CVE-2025-64548 | Dec 10, 2025 |
Adobe Experience Manager 6.5.23 and earlier: Stored XSS via form fieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64563 | Dec 10, 2025 |
DOM-based XSS in Adobe Experience Manager 6.5.23 and earlierAdobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. |
Experience Manager
|
| CVE-2025-64559 | Dec 10, 2025 |
Adobe AEM <=6.5.23 Stored XSS via Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64800 | Dec 10, 2025 |
Adobe Experience Manager 6.5.23 Stored XSS via Form FieldsAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64817 | Dec 10, 2025 |
Adobe Experience Manager XSS in form fields before 6.5.23Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64888 | Dec 10, 2025 |
DOM XSS in Adobe Experience Manager <=6.5.23Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. |
Experience Manager
|
| CVE-2025-64600 | Dec 10, 2025 |
AEM XSS in Form Fields before 6.5.23Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|
| CVE-2025-64826 | Dec 10, 2025 |
Adobe AEM 6.5.23 XSS in form fields via injected JSAdobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. |
Experience Manager
|