Bulletin ID
Security updates available for Adobe Experience Manager | APSB26-74
|
|
Date Published |
Priority |
|---|---|---|
|
APSB26-74 |
July 14, 2026 |
3 |
Summary
Adobe has released updates for Adobe Experience Manager (AEM). This update resolves vulnerabilities rated important. Successful exploitation of these vulnerabilities could result in arbitrary code execution, security feature bypass, arbitrary file system read, and privilege escalation.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected product versions
Product |
Version |
Platform |
|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) Release 2026.5.0 and earlier | All |
| Adobe Experience Manager (AEM) | 6.5 LTS Service Pack 1 and earlier | All |
| Adobe Experience Manager (AEM) | 6.5 Service Pack 24 and earlier | All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) Release 2026.6.0 | All | 3 | Release Notes |
| Adobe Experience Manager (AEM) | 6.5 LTS Service Pack 2 - Hotfix for NPR-43972 | All | 3 | Release Notes |
| Adobe Experience Manager (AEM) | 6.5 Service Pack 25 - Hotfix for NPR-43971 | All | 3 | Release Notes |
CVE-2026-48252, CVE-2026-48259, CVE-2026-48263, CVE-2026-48310, CVE-2026-48355 only affect indicated AEMaaCS releases.
Vulnerability Details
| Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVSS vector |
CVE Number |
| Server-Side Request Forgery (SSRF) (CWE-918) | Arbitrary code execution | Critical | 9.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | CVE-2026-48259 |
| Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) | Arbitrary code execution | Critical | 9.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | CVE-2026-48359 |
| Missing Authentication for Critical Function (CWE-306) | Security feature bypass | Critical | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N | CVE-2026-48252 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) | Arbitrary file system read | Critical | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | CVE-2026-48310 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48263 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48253 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48355 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48254 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48255 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48257 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48260 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48261 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Privilege escalation | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48262 |
If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- green-jam - CVE-2026-48253, CVE-2026-48254, CVE-2026-48255, CVE-2026-48257, CVE-2026-48260, CVE-2026-48261, CVE-2026-48262
- Dylan Pindur, Adam Kues, and Patrik Grobshäuser of Assetnote - CVE-2026-48252, CVE-2026-48259, CVE-2026-48263, CVE-2026-48310, CVE-2026-48355, CVE-2026-48359
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe
Revisions
December 18, 2025: Added CVE-2025-64538
December 10, 2025: Removed CVE-2025-64540
December 24, 2025: Added note - "AEM 6.5 and LTS versions are not impacted by the following CVEs: CVE-2025-64537, CVE-2025-64538, CVE-2025-64539."
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.