Adobe has disclosed a critical (CVSS 9.6) unrestricted file upload vulnerability in Adobe Commerce, Magento Open Source, and related products that can lead to arbitrary code execution.
What Is It
CVE-2026-48356 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in Adobe Commerce. According to Adobe, the flaw "could result in arbitrary code execution in the context of the current user." Because the application fails to properly restrict the types of files that can be uploaded, an attacker could supply a file of a dangerous type, such as an executable script, and cause it to run, resulting in code execution on the affected system. Exploitation requires user interaction, meaning a legitimate user must perform some action for the attack to succeed. The vulnerability carries a changed scope, meaning impact can extend beyond the initially vulnerable component.
Why It Matters
The vulnerability holds a CVSS 3.1 base score of 9.6 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L. It is network-exploitable with low attack complexity and requires no privileges, combining high confidentiality and integrity impact with a changed scope. Adobe Commerce and Magento power large numbers of e-commerce storefronts, making a code-execution flaw of this severity a significant risk to affected merchants.
What's Vulnerable
Per Adobe's advisory, the following products are affected:
- Adobe Commerce: versions up to and including 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18
- Adobe Commerce B2B: versions up to and including 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18
- Magento Open Source: versions up to and including 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15
- Adobe Commerce Webhooks Plugin: versions up to and including 1.20.0
Patch Status
Adobe has released fixed versions. Affected users should update to the July 2026 patched builds (e.g., the 2026-jul releases for Commerce, B2B, and Magento Open Source) or to Webhooks Plugin 1.21.0. This CVE is not currently listed in the CISA KEV catalog, and no confirmation of active exploitation is present in the supplied source material.
Sources
- Adobe Security Bulletin APSB26-73; https://helpx.adobe.com/security/products/magento/apsb26-73.html
- NVD, CVE-2026-48356, https://nvd.nist.gov/vuln/detail/CVE-2026-48356