Several vulnerabilities in Adobe products could allow execution of arbitrary code


Several vulnerabilities in Adobe products could allow execution of arbitrary code


Several vulnerabilities have been discovered in Adobe products, the most serious of which could allow the execution of arbitrary code. The details of these vulnerabilities are as follows:

Tactical: Execution (TA0002)

Technical: Operation for customer execution (T1203):

Adobe After Effects:

  • Out of bounds write (CVE-2026-48274, CVE-2026-48367)
  • Stack-based buffer overflow (CVE-2026-34690)

Adobe Animate:

  • Incorrect limitation of a path name to a restricted directory (“Path Traversal”) (CVE-2026-48350)
  • Improper neutralization of special elements used in an operating system command (“OS command injection”) (CVE-2026-48345, CVE-2026-48347)
  • Untrusted search path (CVE-2026-48346)
  • Incorrect authorization (CVE-2026-48348, CVE-2026-48349)

Adobe Audition:

  • Out-of-bounds write (CVE-2026-47967, CVE-2026-47968, CVE-2026-48309, CVE-2026-48368, CVE-2026-48365)
  • Reading out of bounds (CVE-2026-47969)

Adobe Bridge:

  • Out of bounds write (CVE-2026-48311, CVE-2026-48341, CVE-2026-48343)
  • Heap-based buffer overflow (CVE-2026-48339)
  • Untrusted Pointer Dereference (CVE-2026-48340)
  • Integer overflow or loopback (CVE-2026-48342)

Adobe ColdFusion:

  • Incorrect limitation of a path name to a restricted directory (“Path Traversal”) (CVE-2026-48318, CVE-2026-48319, CVE-2026-48338)
  • Improper control of code generation (“code injection”) (CVE-2026-48322)
  • Incorrect input validation (CVE-2026-48284, CVE-2026-48328)
  • Incorrect authorization (CVE-2026-48321, CVE-2026-48327)
  • Critical Function (CVE-2026-48325)
  • Incorrect neutralization of special elements used in an SQL command (“SQL Injection”) (CVE-2026-48324)
  • Cross-site scripting (Reflected XSS) (CVE-2026-48320)
  • Server-Side Request Forgery (SSRF) (CVE-2026-48332)
  • Insufficient session expiration (CVE-2026-48329)

Adobe Commerce:

  • Unrestricted download of dangerous file type (CVE-2026-48356)
  • Incorrect encoding or escaping output (CVE-2026-48358)
  • Cross-site scripting (stored XSS) (CVE-2026-47994, CVE-2026-47995, CVE-2026-47999)
  • Incorrect authorization (CVE-2026-47988, CVE-2026-47984, CVE-2026-47996, CVE-2026-47997, CVE-2026-47998)
  • Incorrect input validation (CVE-2026-47992)
  • URL Redirection to an Untrusted Site (“Open Redirect”) (CVE-2026-48000)
  • Information Exposure (CVE-2026-48001)

Content Credentials SDK:

  • Server-Side Request Forgery (SSRF) (CVE-2026-48290)
  • Incorrect input validation (CVE-2026-48351, CVE-2026-48352, CVE-2026-48312, CVE-2026-48302, CVE-2026-48353)
  • Insufficiently protected identifiers (CVE-2026-48295)
  • Untrusted search path (CVE-2026-48287)
  • Integer overflow or loopback (CVE-2026-48354)
  • Uncontrolled resource consumption (CVE-2026-48357)
  • Integer underflow (Wrap or Wraparound) (CVE-2026-48296, CVE-2026-48298)

Adobe Creative Cloud desktop app:

  • Uncontrolled Search Path Element (CVE-2026-48272)
  • Time of Control Time of Use (TOCTOU) Race Condition (CVE-2026-48344)

Adobe Experience Manager:

  • Server-Side Request Forgery (SSRF) (CVE-2026-48259)
  • Improper Restriction of XML External Entity Reference (“XXE”) (CVE-2026-48359)
  • Critical Function (CVE-2026-48252)
  • Incorrect limitation of a path name to a restricted directory (“Path Traversal”) (CVE-2026-48310)
  • Cross-site scripting (stored XSS) (CVE-2026-48263, CVE-2026-48355)
  • Cross-site Scripting (DOM-based

Adobe Illustrator:

  • Incorrect input validation (CVE-2026-48334)
  • Untrusted search path (CVE-2026-48275)
  • Out-of-bounds write (CVE-2026-48337, CVE-2026-48336)

Adobe media encoder:

  • Stack-based buffer overflow (CVE-2026-47971)
  • Out-of-bounds write (CVE-2026-47976, CVE-2026-48370, CVE-2026-48366)
  • Reading out of bounds (CVE-2026-47979)

Adobe Premiere Pro:

  • Heap-based buffer overflow (CVE-2026-48269)
  • Out-of-bounds write (CVE-2026-48270, CVE-2026-48369)
  • Incorrect input validation (CVE-2026-48308)

Successful exploitation of the most severe of these vulnerabilities could allow execution of arbitrary code in the context of the logged in user. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system might be less affected than those who operate with administrative user rights.