Adobe Patches Critical RCE Flaws in FrameMaker Publishing, Commerce, and Magento
Adobe released security updates for multiple critical vulnerabilities affecting Adobe FrameMaker Publishing Server, Adobe Commerce, Magento Open Source, and the Adobe Commerce Webhooks extension. The most serious issues include CVE-2024-30299 and CVE-2024-30300 in FrameMaker Publishing Server and CVE-2024-34102 in Adobe Commerce and Magento, with severity reaching CVSS 10.0. Successful exploitation could allow arbitrary code execution, security feature bypass, and privilege escalation.
Adobe also issued critical fixes for Adobe Experience Manager, Creative Cloud Desktop, Photoshop, and Substance 3D Stager to address vulnerabilities that could enable code execution, unauthorized system access, and exposure of sensitive data. National cybersecurity authorities highlighted the breadth and severity of the flaws and urged organizations using affected Adobe products to apply vendor patches immediately in line with Adobe guidance.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Adobe publishes additional critical updates across other product lines
Alongside the above fixes, Adobe also released critical security updates for Adobe Experience Manager, Adobe Creative Cloud Desktop, Adobe Photoshop, and Adobe Substance 3D Stager. These updates addressed vulnerabilities that could allow code execution, system access, or unauthorized access to data.
Adobe releases critical patches for FrameMaker, Commerce, and Magento
Adobe issued security updates for Adobe FrameMaker Publishing Server, Adobe Commerce, Magento Open Source, and the Adobe Commerce Webhooks extension to fix multiple critical vulnerabilities. The flaws included CVE-2024-30299 and CVE-2024-30300 in FrameMaker Publishing Server and CVE-2024-34102 in Adobe Commerce and Magento, with potential impacts including remote code execution, security feature bypass, and privilege escalation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Kriittisiä haavoittuvuuksia Adobe FrameMaker Publishing, Adobe Commerce ja Magento alustoissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittisiä haavoittuvuuksia Adobe FrameMaker Publishing, Adobe Commerce ja Magento alustoissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Vulnerabilities Patched in Multiple Adobe Products Allowing Arbitrary Code Execution
Adobe released urgent security updates addressing over 35 vulnerabilities across a wide range of its products, with several flaws rated as critical due to their potential to allow arbitrary code execution. The most severe vulnerabilities affect Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and other widely used applications. Among the most critical issues are two DOM-based cross-site scripting (XSS) vulnerabilities in Adobe Connect, identified as CVE-2025-49553 and CVE-2025-49552, with CVSS scores of 9.3 and 7.3 respectively. These vulnerabilities could enable attackers to execute arbitrary code on targeted systems if exploited. Additionally, a moderate-severity open redirect vulnerability (CVE-2025-54196) was also patched in Adobe Connect. The vulnerabilities were disclosed by a security researcher known as Laish (a_l), and Adobe Connect users are specifically urged to update to version 12.10 for both Windows and macOS to mitigate these risks. Adobe Commerce and Magento Open Source, both critical e-commerce platforms, were also affected by high-risk vulnerabilities that could potentially compromise online stores. Other Adobe products receiving security updates include Creative Cloud, Bridge, Animate, Experience Manager, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Adobe has stated that, as of the time of the advisory, there is no evidence that these vulnerabilities have been exploited in the wild. Nevertheless, the company strongly recommends that all customers apply the updates immediately to prevent potential exploitation. The vulnerabilities span a variety of attack vectors, including XSS and open redirect, which could be leveraged for code execution or phishing attacks. The breadth of affected products highlights the widespread risk to organizations relying on Adobe’s software for collaboration, content creation, and e-commerce. Security advisories from both industry groups and Adobe emphasize the urgency of patching, especially for organizations using Adobe Connect and e-commerce platforms. The updates are part of Adobe’s regular security cycle, but the critical nature of several flaws makes this release particularly important. Organizations are advised to review their deployment of Adobe products and prioritize patching based on the severity and exposure of affected systems. The disclosure and rapid patching of these vulnerabilities underscore the ongoing need for vigilance and timely software updates in enterprise environments. Adobe’s response demonstrates a coordinated effort to address security risks across its product suite. The advisories provide detailed information on affected versions and recommended mitigation steps. Security teams should monitor for any signs of attempted exploitation and ensure that all relevant systems are updated promptly. The incident serves as a reminder of the persistent threat posed by software vulnerabilities in widely deployed applications.
Mar 21, 2026
Adobe fixes critical flaws across Acrobat, ColdFusion, Experience Manager, and Campaign
Adobe released a broad set of security updates covering **Adobe Experience Manager**, **Acrobat/Reader**, **ColdFusion**, **Dreamweaver**, **InDesign**, **InCopy**, **Substance 3D Sampler**, **Format Plugins**, **Campaign Classic**, and Content Credentials SDK components, prompting alerts from national and regional CERTs including Canada’s Cyber Centre and HKCERT. The advisories span multiple high-severity issues, with affected versions including **ColdFusion 2023.19 and 2025.8 and earlier**, **Dreamweaver 21.7 and earlier**, **Campaign Classic 7.4.3 build 9394 and earlier**, and **AEM Forms JEE LTS SP1 / 6.5.24.0 and earlier**. The most serious disclosures include multiple **remote code execution** bugs in Acrobat/Reader such as `CVE-2026-47911`, `CVE-2026-47912`, `CVE-2026-47913`, `CVE-2026-47914`, `CVE-2026-47915`, `CVE-2026-47918`, and `CVE-2026-47919`, largely tied to use-after-free conditions and malicious file handling; several **ColdFusion** flaws including `CVE-2026-47928`, `CVE-2026-47929`, `CVE-2026-47930`, `CVE-2026-47931`, and `CVE-2026-47932` that can enable code execution, security feature bypass, or unauthorized read/write access; **AEM Forms JEE** stored and reflected XSS issues `CVE-2026-34691` and `CVE-2026-34693`; **Campaign Classic** issues `CVE-2026-47938` and `CVE-2026-48303` involving SSRF, privilege escalation, and possible code execution; **Dreamweaver** arbitrary file read via `CVE-2026-47907`; and **USD Fileformat Plugins** heap-based buffer overflows `CVE-2026-48291` and `CVE-2026-48292`. Adobe has issued patches for the affected products, and defenders are being urged to review the vendor bulletins and deploy updates quickly.
Jun 12, 2026
Adobe March 2026 Security Updates Across Multiple Products
Adobe published its March 2026 security advisories covering **multiple vulnerabilities** across a broad set of products, with impacts including **remote code execution (RCE)**, **elevation of privilege**, **cross-site scripting (XSS)**, **information disclosure**, **denial of service**, and **security restriction bypass**. Products called out include **Adobe Commerce** (including *Adobe Commerce B2B* and *Magento Open Source*), **Illustrator**, **Acrobat/Reader**, **Premiere Pro**, **Experience Manager (AEM)**, **Substance 3D Painter**, **Substance 3D Stager**, and the **Adobe DNG SDK**. The Hong Kong CERT bulletin characterized the overall risk level of the March release as **Medium**, listing eight medium-risk product advisories (e.g., `APSB26-05`, `APSB26-18`, `APSB26-24`, `APSB26-26`). Canada’s Cyber Centre alert (**AV26-215**) echoed the same advisory set and provided affected version ranges (e.g., *Illustrator 2025* prior to 29.8.4/30.1, *Acrobat/Reader DC* prior to 25.001.21265, *Premiere Pro* prior to 25.5, *AEM* Cloud Service and 6.5 LTS/6.5 SP23 and prior, and *DNG SDK* prior to 1.7.1 build 2471), urging organizations to review Adobe’s advisories and apply the required updates.
Mar 21, 2026