Adobe has disclosed a critical (CVSS 9.1) output-encoding vulnerability in Adobe Commerce, Magento Open Source, and related products that can lead to arbitrary code execution without user interaction.
What Is It
CVE-2026-48358 is an Improper Encoding or Escaping of Output vulnerability (CWE-116) affecting Adobe Commerce. According to Adobe, the flaw "could result in arbitrary code execution in the context of the current user." Exploitation does not require user interaction, and the vulnerability has a changed scope; meaning an attacker can impact resources beyond the initially vulnerable component. It carries a CVSS 3.1 base score of 9.1 (CRITICAL), with the vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.
Why It Matters
The vulnerability is network-exploitable with low attack complexity and no user interaction, and it delivers high impact across confidentiality, integrity, and availability. While exploitation requires high privileges, the changed scope and potential for arbitrary code execution make this a serious risk for e-commerce platforms handling sensitive customer and payment data. The NVD record does not indicate confirmed active exploitation, and there is no associated CISA KEV entry in the supplied data.
What's Vulnerable
The following Adobe products are affected:
- Adobe Commerce: versions through 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, and 2.4.4-p18
- Adobe Commerce B2B: versions through 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, and 1.3.3-p18
- Magento Open Source: versions through 2.4.9, 2.4.8-p5, 2.4.7-p10, and 2.4.6-p15
- Adobe Commerce Webhooks Plugin: versions through 1.20.0
Patch Status
Adobe has released fixed versions. The July 2026 patch releases (e.g., 2.4.9-2026-jul and corresponding builds for each product line) resolve the issue, and the Webhooks Plugin is fixed in version 1.21.0. Administrators should update to the corresponding patched build for their product line. Full remediation details are available in Adobe's security bulletin APSB26-73.