Adobe Commerce Improper Encoding/Escaping leads to arbitrary code exec
CVE-2026-48358 Published on July 14, 2026
Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116)
Adobe Commerce is affected by an Improper Encoding or Escaping of Output vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Vulnerability Analysis
CVE-2026-48358 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2026-48358 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2026-48358
Want to know whenever a new CVE is published for Adobe products? stack.watch will email you.
Affected Versions
Adobe Commerce:- Before and including 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18 is affected.
- Version 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, 2.4.4-2026-jul is unaffected.
- Before and including 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18 is affected.
- Version 1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, 1.3.3-2026-jul is unaffected.
- Before and including 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15 is affected.
- Version 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul is unaffected.
- Before and including 1.20.0 is affected.
- Version 1.21.0 is unaffected.