Critical Vulnerabilities Patched in Multiple Adobe Products Allowing Arbitrary Code Execution
Adobe released urgent security updates addressing over 35 vulnerabilities across a wide range of its products, with several flaws rated as critical due to their potential to allow arbitrary code execution. The most severe vulnerabilities affect Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and other widely used applications. Among the most critical issues are two DOM-based cross-site scripting (XSS) vulnerabilities in Adobe Connect, identified as CVE-2025-49553 and CVE-2025-49552, with CVSS scores of 9.3 and 7.3 respectively. These vulnerabilities could enable attackers to execute arbitrary code on targeted systems if exploited. Additionally, a moderate-severity open redirect vulnerability (CVE-2025-54196) was also patched in Adobe Connect. The vulnerabilities were disclosed by a security researcher known as Laish (a_l), and Adobe Connect users are specifically urged to update to version 12.10 for both Windows and macOS to mitigate these risks. Adobe Commerce and Magento Open Source, both critical e-commerce platforms, were also affected by high-risk vulnerabilities that could potentially compromise online stores. Other Adobe products receiving security updates include Creative Cloud, Bridge, Animate, Experience Manager, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Adobe has stated that, as of the time of the advisory, there is no evidence that these vulnerabilities have been exploited in the wild. Nevertheless, the company strongly recommends that all customers apply the updates immediately to prevent potential exploitation. The vulnerabilities span a variety of attack vectors, including XSS and open redirect, which could be leveraged for code execution or phishing attacks. The breadth of affected products highlights the widespread risk to organizations relying on Adobe’s software for collaboration, content creation, and e-commerce. Security advisories from both industry groups and Adobe emphasize the urgency of patching, especially for organizations using Adobe Connect and e-commerce platforms. The updates are part of Adobe’s regular security cycle, but the critical nature of several flaws makes this release particularly important. Organizations are advised to review their deployment of Adobe products and prioritize patching based on the severity and exposure of affected systems. The disclosure and rapid patching of these vulnerabilities underscore the ongoing need for vigilance and timely software updates in enterprise environments. Adobe’s response demonstrates a coordinated effort to address security risks across its product suite. The advisories provide detailed information on affected versions and recommended mitigation steps. Security teams should monitor for any signs of attempted exploitation and ensure that all relevant systems are updated promptly. The incident serves as a reminder of the persistent threat posed by software vulnerabilities in widely deployed applications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA publishes advisory on multiple Adobe product vulnerabilities
The Center for Internet Security published an advisory highlighting multiple Adobe product vulnerabilities that could allow arbitrary code execution, reflecting broader defensive notification following Adobe's patch release. The advisory reinforced the need for organizations to apply the available updates.
Adobe releases security updates for Connect, Commerce, and Creative Cloud apps
Adobe issued urgent patches for more than 35 vulnerabilities across Adobe Connect, Adobe Commerce, Magento Open Source, and multiple Creative Cloud applications. The updates addressed issues including critical remote code execution risks, privilege escalation, authentication bypass, open redirect, and DOM-based XSS flaws, with no active exploitation reported at disclosure time.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
cisecurity.org
Open sourceAdobe Issues Urgent Security Updates for Connect, Commerce, and Creative Cloud Apps
thecyberexpress.com
Open sourceAdobe Patches Critical Connect Flaw (CVE-2025-49553) and 35 More Across Creative Suite
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Adobe Patches Critical RCE Flaws in FrameMaker Publishing, Commerce, and Magento
Adobe released security updates for multiple critical vulnerabilities affecting **Adobe FrameMaker Publishing Server**, **Adobe Commerce**, **Magento Open Source**, and the **Adobe Commerce Webhooks** extension. The most serious issues include `CVE-2024-30299` and `CVE-2024-30300` in FrameMaker Publishing Server and `CVE-2024-34102` in Adobe Commerce and Magento, with severity reaching **CVSS 10.0**. Successful exploitation could allow **arbitrary code execution**, **security feature bypass**, and **privilege escalation**. Adobe also issued critical fixes for **Adobe Experience Manager**, **Creative Cloud Desktop**, **Photoshop**, and **Substance 3D Stager** to address vulnerabilities that could enable code execution, unauthorized system access, and exposure of sensitive data. National cybersecurity authorities highlighted the breadth and severity of the flaws and urged organizations using affected Adobe products to apply vendor patches immediately in line with Adobe guidance.
Apr 27, 2026
Multiple Critical Vulnerabilities in Adobe Products Allowing Arbitrary Code Execution
Adobe released security advisories addressing multiple vulnerabilities across a range of its products, including ColdFusion, Adobe Experience Manager (AEM), DNG Software Development Kit (SDK), Acrobat, Acrobat Reader, and the Creative Cloud Desktop Application. The most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user, potentially enabling attackers to install programs, modify or delete data, or create new accounts with full user rights. Affected versions span ColdFusion 2025, 2023, and 2021, AEM Cloud Service and 6.5 LTS, DNG SDK 1.7.0 and prior, Acrobat and Acrobat Reader 2020 and 2024 for both Windows and Mac, and Creative Cloud Desktop Application 6.4.0.361 and earlier. Users and administrators are strongly encouraged to review the official advisories and apply the necessary updates to mitigate risk. Threat intelligence at the time of disclosure indicated no reports of these vulnerabilities being exploited in the wild. The advisories emphasize that users with administrative privileges are at greater risk if exploited, and recommend prompt patching to reduce exposure. Organizations relying on Adobe products for document management, web application development, or digital asset workflows should prioritize these updates to prevent potential compromise through remote code execution vulnerabilities.
Mar 21, 2026
Adobe fixes critical flaws across Acrobat, ColdFusion, Experience Manager, and Campaign
Adobe released a broad set of security updates covering **Adobe Experience Manager**, **Acrobat/Reader**, **ColdFusion**, **Dreamweaver**, **InDesign**, **InCopy**, **Substance 3D Sampler**, **Format Plugins**, **Campaign Classic**, and Content Credentials SDK components, prompting alerts from national and regional CERTs including Canada’s Cyber Centre and HKCERT. The advisories span multiple high-severity issues, with affected versions including **ColdFusion 2023.19 and 2025.8 and earlier**, **Dreamweaver 21.7 and earlier**, **Campaign Classic 7.4.3 build 9394 and earlier**, and **AEM Forms JEE LTS SP1 / 6.5.24.0 and earlier**. The most serious disclosures include multiple **remote code execution** bugs in Acrobat/Reader such as `CVE-2026-47911`, `CVE-2026-47912`, `CVE-2026-47913`, `CVE-2026-47914`, `CVE-2026-47915`, `CVE-2026-47918`, and `CVE-2026-47919`, largely tied to use-after-free conditions and malicious file handling; several **ColdFusion** flaws including `CVE-2026-47928`, `CVE-2026-47929`, `CVE-2026-47930`, `CVE-2026-47931`, and `CVE-2026-47932` that can enable code execution, security feature bypass, or unauthorized read/write access; **AEM Forms JEE** stored and reflected XSS issues `CVE-2026-34691` and `CVE-2026-34693`; **Campaign Classic** issues `CVE-2026-47938` and `CVE-2026-48303` involving SSRF, privilege escalation, and possible code execution; **Dreamweaver** arbitrary file read via `CVE-2026-47907`; and **USD Fileformat Plugins** heap-based buffer overflows `CVE-2026-48291` and `CVE-2026-48292`. Adobe has issued patches for the affected products, and defenders are being urged to review the vendor bulletins and deploy updates quickly.
Jun 12, 2026