A critical Server-Side Request Forgery flaw in Adobe Experience Manager can lead to arbitrary code execution and account takeover, requiring only low-privileged access and no user interaction.
What Is It
CVE-2026-48259 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in Adobe Experience Manager. According to Adobe's advisory, the flaw could result in arbitrary code execution in the context of the current user. A low-privileged attacker can leverage it to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning impact can extend beyond the initially vulnerable component.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.6 (CRITICAL), with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. It is network-exploitable at low attack complexity, needs only low privileges, and requires no user interaction. Successful exploitation results in high confidentiality and integrity impact. The combination of remote reachability, minimal prerequisites, and a changed scope makes this a high-priority concern for any organization running affected AEM deployments.
What's Vulnerable
Per Adobe's affected-product data, the following are impacted:
- Adobe Experience Manager as a Cloud Service: versions up to and including 2026.5.0 (fixed in 2026.6.0)
- Adobe Experience Manager 6.5 LTS: up to and including SP1 (fixed via SP2 Hotfix for NPR-43972)
- Adobe Experience Manager 6.5: up to and including 6.5.24 (fixed in 6.5.25 Hotfix for NPR-43972)
Patch Status
Fixed versions are available. Organizations should upgrade AEM as a Cloud Service to 2026.6.0, apply the SP2 Hotfix for NPR-43972 on AEM 6.5 LTS, or move to AEM 6.5.25 (Hotfix for NPR-43972) on AEM 6.5. Refer to Adobe Security Bulletin APSB26-74 for full remediation guidance. This CVE does not appear in the supplied CISA KEV data, so there is no confirmed report of active exploitation at this time.
Sources
- NVD, CVE-2026-48259: https://nvd.nist.gov/vuln/detail/CVE-2026-48259
- Adobe Security Bulletin APSB26-74: https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html