SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48356 2026-07-14

CVE-2026-48356: Critical File Upload Flaw in Adobe Commerce and Magento Enables Code Execution

"Adobe has disclosed a critical (CVSS 9.6) unrestricted file upload vulnerability in Adobe Commerce, Magento Open Source, and related products that can lead to arbitrary code execution."

Adobe has disclosed a critical (CVSS 9.6) unrestricted file upload vulnerability in Adobe Commerce, Magento Open Source, and related products that can lead to arbitrary code execution.

What Is It

CVE-2026-48356 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in Adobe Commerce. According to Adobe, the flaw "could result in arbitrary code execution in the context of the current user." Because the application fails to properly restrict the types of files that can be uploaded, an attacker could supply a file of a dangerous type, such as an executable script, and cause it to run, resulting in code execution on the affected system. Exploitation requires user interaction, meaning a legitimate user must perform some action for the attack to succeed. The vulnerability carries a changed scope, meaning impact can extend beyond the initially vulnerable component.

Why It Matters

The vulnerability holds a CVSS 3.1 base score of 9.6 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L. It is network-exploitable with low attack complexity and requires no privileges, combining high confidentiality and integrity impact with a changed scope. Adobe Commerce and Magento power large numbers of e-commerce storefronts, making a code-execution flaw of this severity a significant risk to affected merchants.

What's Vulnerable

Per Adobe's advisory, the following products are affected:

Patch Status

Adobe has released fixed versions. Affected users should update to the July 2026 patched builds (e.g., the 2026-jul releases for Commerce, B2B, and Magento Open Source) or to Webhooks Plugin 1.21.0. This CVE is not currently listed in the CISA KEV catalog, and no confirmation of active exploitation is present in the supplied source material.

Sources