Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB26-74

Bulletin ID

Date Published

Priority

APSB26-74

July 14, 2026

3

Summary

Adobe has released updates for Adobe Experience Manager (AEM). This update resolves vulnerabilities rated important. Successful exploitation of these vulnerabilities could result in arbitrary code execution, security feature bypass, arbitrary file system read, and privilege escalation. 

Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

Affected product versions

Product

Version

Platform

Adobe Experience Manager (AEM) 
AEM Cloud Service (CS) Release 2026.5.0 and earlier All
Adobe Experience Manager (AEM)  6.5 LTS Service Pack 1 and earlier All 
Adobe Experience Manager (AEM) 6.5 Service Pack 24 and earlier All 

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM) 
AEM Cloud Service (CS) Release 2026.6.0 All 3 Release Notes
Adobe Experience Manager (AEM)  6.5 LTS Service Pack 2 - Hotfix for NPR-43972 All  3 Release Notes
Adobe Experience Manager (AEM) 6.5 Service Pack 25 - Hotfix for NPR-43971 All  3 Release Notes
Note

CVE-2026-48252, CVE-2026-48259, CVE-2026-48263, CVE-2026-48310, CVE-2026-48355 only affect indicated AEMaaCS releases. 

Vulnerability Details

Vulnerability Category
Vulnerability Impact
Severity
CVSS base score
CVSS vector
CVE Number
Server-Side Request Forgery (SSRF) (CWE-918) Arbitrary code execution Critical 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVE-2026-48259
Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) Arbitrary code execution Critical 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVE-2026-48359
Missing Authentication for Critical Function (CWE-306) Security feature bypass Critical 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2026-48252
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Arbitrary file system read Critical 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2026-48310
Cross-site Scripting (Stored XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48263
Cross-site Scripting (DOM-based XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48253
Cross-site Scripting (Stored XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48355
Cross-site Scripting (DOM-based XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48254
Cross-site Scripting (DOM-based XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48255
Cross-site Scripting (DOM-based XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48257
Cross-site Scripting (DOM-based XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48260
Cross-site Scripting (DOM-based XSS) (CWE-79) Arbitrary code execution Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48261
Cross-site Scripting (DOM-based XSS) (CWE-79) Privilege escalation Important 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48262

 

Note

If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html

Acknowledgments

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: 

  • green-jam - CVE-2026-48253, CVE-2026-48254, CVE-2026-48255, CVE-2026-48257, CVE-2026-48260, CVE-2026-48261, CVE-2026-48262
  • Dylan Pindur, Adam Kues, and Patrik Grobshäuser of Assetnote - CVE-2026-48252, CVE-2026-48259, CVE-2026-48263, CVE-2026-48310, CVE-2026-48355, CVE-2026-48359

NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe

 

 

Revisions

December 18, 2025: Added CVE-2025-64538 

December 10, 2025: Removed CVE-2025-64540

December 24, 2025: Added note - "AEM 6.5 and LTS versions are not impacted by the following CVEs: CVE-2025-64537, CVE-2025-64538, CVE-2025-64539."


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe, Inc.

Get help faster and easier

New user?