Adobe Commerce Improper Encoding/Escaping leads to arbitrary code exec
CVE-2026-48358 Published on July 14, 2026

Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116)
Adobe Commerce is affected by an Improper Encoding or Escaping of Output vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-48358 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is an Output Sanitization Vulnerability?

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVE-2026-48358 has been classified to as an Output Sanitization vulnerability or weakness.


Products Associated with CVE-2026-48358

Want to know whenever a new CVE is published for Adobe products? stack.watch will email you.

 
 
 
 

Affected Versions

Adobe Commerce: Adobe Commerce B2B: Adobe Magento Open Source: Adobe Commerce Webhooks Plugin: