SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48359 2026-07-14

CVE-2026-48359: Critical XXE Flaw in Adobe Experience Manager Could Enable Code Execution

"Adobe Experience Manager contains a critical (CVSS 9.6) XML External Entity vulnerability that could let a low-privileged attacker, no user interaction required, read sensitive files and, according to Adobe, potentially…"

Adobe Experience Manager contains a critical (CVSS 9.6) XML External Entity vulnerability that could let a low-privileged attacker, no user interaction required, read sensitive files and, according to Adobe, potentially achieve arbitrary code execution in the current user's context.

What Is It

CVE-2026-48359 is an Improper Restriction of XML External Entity Reference ('XXE') vulnerability (CWE-611) in Adobe Experience Manager. According to Adobe's advisory, the flaw could result in arbitrary code execution in the context of the current user. A low-privileged attacker may be able to exploit it to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning impact can extend beyond the initially vulnerable component.

Why It Matters

The CVSS 3.1 base score is 9.6 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. The combination of network attack vector, low attack complexity, only low privileges required, no user interaction, and a changed scope makes this an especially dangerous flaw. Confidentiality and integrity impacts are both rated HIGH. AEM is widely deployed as an enterprise content and digital experience platform, so a file-read-to-code-execution primitive would give attackers a strong foothold.

What's Vulnerable

Per Adobe's affected-product data, the following are affected:

Patch Status

Adobe has published fixes. Cloud Service is remediated in 2026.6.0; AEM 6.5 LTS is remediated in SP2 – Hotfix for NPR-43972; and AEM 6.5 is remediated in 6.5.25 – Hotfix for NPR-43972. Administrators should upgrade affected instances to these versions per Adobe security bulletin APSB26-74. This CVE is not present in the supplied CISA KEV data, so no active exploitation is confirmed by KEV at this time.

Sources