Bulletin ID
Security update available for Adobe Commerce | APSB26-73
|
|
Date Published |
Priority |
|---|---|---|
|
APSB26-73 |
July 14, 2026 |
2 |
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, and security feature bypass.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected Versions
| Product | Version | Priority Rating | Platform |
|---|---|---|---|
| Adobe Commerce |
2.4.9 |
2 | All |
| Adobe Commerce B2B |
1.5.3 |
2 | All |
| Magento Open Source | 2.4.9 |
2 | All |
| Adobe Commerce Events | 1.6.0 to 1.20.0 | 2 | All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce | 2.4.9-2026-jul |
All | 2 | Release Notes |
| Adobe Commerce B2B | 1.5.3-2026-jul 1.5.2-2026-jul 1.4.2-2026-jul 1.3.4-2026-jul 1.3.3-2026-jul |
All | 2 | Release Notes |
| Magento Open Source | 2.4.9-2026-jul 2.4.8-2026-jul 2.4.7-2026-jul 2.4.6-2026-jul |
All | 2 | Release Notes |
| Adobe Commerce Events | 1.21.0 | All | 2 | Upgrade Modules and Extensions |
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) | Notes |
|---|---|---|---|---|---|---|---|---|
| Unrestricted Upload of File with Dangerous Type (CWE-434) | Privilege escalation | Critical | No | No | 9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L | CVE-2026-48356 | |
| Improper Encoding or Escaping of Output (CWE-116) | Arbitrary code execution | Critical | Yes | Yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2026-48358 | Applies to webhooks only |
| Cross-site Scripting (Stored XSS) (CWE-79) | Privilege escalation | Critical | Yes | Yes | 8.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N | CVE-2026-47994 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Critical | No | No | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L | CVE-2026-47988 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Critical | No | No | 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | CVE-2026-47984 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Privilege escalation | Critical | Yes | Yes | 8.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N | CVE-2026-47995 | B2B |
| Incorrect Authorization (CWE-863) | Security feature bypass | Critical | Yes | Yes | 7.6 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L | CVE-2026-47996 | |
| Improper Input Validation (CWE-20) | Privilege escalation | Critical | Yes | Yes | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | CVE-2026-47992 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Important | No | No | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2026-47997 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Important | No | No | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2026-47998 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | Yes | Yes | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48371 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | Yes | Yes | 4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47999 | |
| URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) | Security feature bypass | Moderate | Yes | Yes | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | CVE-2026-48000 | |
| Information Exposure (CWE-200) | Security feature bypass | Moderate | No | No | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | CVE-2026-48001 |
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- 0x0.eth - CVE-2026-47984, CVE-2026-47996
- T.H. Lassche - CVE-2026-47988
- Sudhanshu Rajbhar (sudi) - CVE-2026-47992
- wohlie - CVE-2026-47994, CVE-2026-47995, CVE-2026-48358
- akashhamal0x01 - CVE-2026-47997, CVE-2026-47998, CVE-2026-48001
- s (howtoplay) - CVE-2026-47999
- schemonah - CVE-2026-48000
- Tseng, Ching-Yen (shaber) - CVE-2026-48371
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.