SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48286 2026-06-30

CVE-2026-48286: Critical Authorization Flaw in Adobe Campaign Classic Enables Remote Code Execution

"A critical (CVSS 10.0) incorrect authorization vulnerability in Adobe Campaign Classic could allow unauthenticated attackers to execute arbitrary code over the network without any user interaction."

A critical (CVSS 10.0) incorrect authorization vulnerability in Adobe Campaign Classic could allow unauthenticated attackers to execute arbitrary code over the network without any user interaction.

What Is It

CVE-2026-48286 is an Incorrect Authorization vulnerability (CWE-863) in Adobe Campaign Classic (ACC). According to Adobe's advisory, the flaw could result in arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning a successful attack can affect resources beyond the initially vulnerable component.

Why It Matters

This carries the maximum CVSS 3.1 base score of 10.0 (CRITICAL). The vector, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, describes a network-exploitable flaw with low attack complexity, requiring no privileges and no user interaction, with high confidentiality, integrity, and availability impact. The exploitability sub-score is 3.9, the maximum possible. A changed scope combined with unauthenticated remote code execution makes this an especially high-priority issue for any organization running affected ACC deployments.

What's Vulnerable

Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected. The vulnerability was published by Adobe's PSIRT on 2026-06-30 and is currently listed by NVD as "Undergoing Analysis."

Patch Status

Adobe has published a security advisory (APSB26-69) addressing this vulnerability. Organizations running affected ACC versions should consult that advisory and update to a fixed release. There is no CISA KEV entry supplied for this CVE, so active exploitation is not confirmed in the source material provided.

Sources