SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48358 2026-07-14

CVE-2026-48358: Critical Code Execution Flaw in Adobe Commerce and Magento

"Adobe has disclosed a critical (CVSS 9.1) output-encoding vulnerability in Adobe Commerce, Magento Open Source, and related products that can lead to arbitrary code execution without user interaction."

Adobe has disclosed a critical (CVSS 9.1) output-encoding vulnerability in Adobe Commerce, Magento Open Source, and related products that can lead to arbitrary code execution without user interaction.

What Is It

CVE-2026-48358 is an Improper Encoding or Escaping of Output vulnerability (CWE-116) affecting Adobe Commerce. According to Adobe, the flaw "could result in arbitrary code execution in the context of the current user." Exploitation does not require user interaction, and the vulnerability has a changed scope; meaning an attacker can impact resources beyond the initially vulnerable component. It carries a CVSS 3.1 base score of 9.1 (CRITICAL), with the vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Why It Matters

The vulnerability is network-exploitable with low attack complexity and no user interaction, and it delivers high impact across confidentiality, integrity, and availability. While exploitation requires high privileges, the changed scope and potential for arbitrary code execution make this a serious risk for e-commerce platforms handling sensitive customer and payment data. The NVD record does not indicate confirmed active exploitation, and there is no associated CISA KEV entry in the supplied data.

What's Vulnerable

The following Adobe products are affected:

Patch Status

Adobe has released fixed versions. The July 2026 patch releases (e.g., 2.4.9-2026-jul and corresponding builds for each product line) resolve the issue, and the Webhooks Plugin is fixed in version 1.21.0. Administrators should update to the corresponding patched build for their product line. Full remediation details are available in Adobe's security bulletin APSB26-73.

Sources