Adobe Experience Manager contains a critical (CVSS 9.6) XML External Entity vulnerability that could let a low-privileged attacker, no user interaction required, read sensitive files and, according to Adobe, potentially achieve arbitrary code execution in the current user's context.
What Is It
CVE-2026-48359 is an Improper Restriction of XML External Entity Reference ('XXE') vulnerability (CWE-611) in Adobe Experience Manager. According to Adobe's advisory, the flaw could result in arbitrary code execution in the context of the current user. A low-privileged attacker may be able to exploit it to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning impact can extend beyond the initially vulnerable component.
Why It Matters
The CVSS 3.1 base score is 9.6 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. The combination of network attack vector, low attack complexity, only low privileges required, no user interaction, and a changed scope makes this an especially dangerous flaw. Confidentiality and integrity impacts are both rated HIGH. AEM is widely deployed as an enterprise content and digital experience platform, so a file-read-to-code-execution primitive would give attackers a strong foothold.
What's Vulnerable
Per Adobe's affected-product data, the following are affected:
- Adobe Experience Manager as a Cloud Service: versions up to and including 2026.5.0 (2026.6.0 is unaffected).
- Adobe Experience Manager 6.5 LTS: versions up to and including SP1 (fixed in SP2 – Hotfix for NPR-43972).
- Adobe Experience Manager 6.5: versions up to and including 6.5.24 (fixed in 6.5.25 – Hotfix for NPR-43972).
Patch Status
Adobe has published fixes. Cloud Service is remediated in 2026.6.0; AEM 6.5 LTS is remediated in SP2 – Hotfix for NPR-43972; and AEM 6.5 is remediated in 6.5.25 – Hotfix for NPR-43972. Administrators should upgrade affected instances to these versions per Adobe security bulletin APSB26-74. This CVE is not present in the supplied CISA KEV data, so no active exploitation is confirmed by KEV at this time.
Sources
- Adobe Security Bulletin APSB26-74; https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html
- NVD, CVE-2026-48359, https://nvd.nist.gov/vuln/detail/CVE-2026-48359