CVE-2026-48259 PUBLISHED

Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)

Assigner: adobe
Reserved: 21.05.2026 Published: 14.07.2026 Updated: 15.07.2026

Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 9.6

Product Status

Vendor Adobe
Product Adobe Experience Manager as a Cloud Service
Versions Default: affected
  • affected from 0 to 2026.5.0 (incl.)
  • Version 2026.6.0 is unaffected
Vendor Adobe
Product Adobe Experience Manager 6.5 LTS
Versions Default: affected
  • affected from 0 to SP1 (incl.)
  • Version SP2 - Hotfix for NPR-43972 is unaffected
Vendor Adobe
Product Adobe Experience Manager 6.5
Versions Default: affected
  • affected from 0 to 6.5.24 (incl.)
  • Version 6.5.25 - Hotfix for NPR-43972 is unaffected

References

Problem Types

  • Server-Side Request Forgery (SSRF) (CWE-918) CWE