Adobe Security Bulletin

Security update available for Adobe Commerce | APSB26-73

Bulletin ID

Date Published

Priority

APSB26-73

July 14, 2026

2

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves criticalimportant and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation, and security feature bypass.

Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

Affected Versions

Product Version Priority Rating Platform
 Adobe Commerce

2.4.9
2.4.8-p5 and earlier
2.4.7-p10 and earlier
2.4.6-p15 and earlier
2.4.5-p17 and earlier
2.4.4-p18 and earlier

2 All
Adobe Commerce B2B

1.5.3
1.5.2-p5 and earlier
1.4.2-p10 and earlier
1.3.4-p17 and earlier
1.3.3-p18 and earlier

2 All
Magento Open Source

2.4.9
2.4.8-p5 and earlier
2.4.7-p10 and earlier
2.4.6-p15 and earlier

2 All
Adobe Commerce Events 1.6.0 to 1.20.0 2 All

 

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce

2.4.9-2026-jul
2.4.8-2026-jul
2.4.7-2026-jul
2.4.6-2026-jul
2.4.5-2026-jul
2.4.4-2026-jul

All 2 Release Notes
Adobe Commerce B2B 1.5.3-2026-jul
1.5.2-2026-jul
1.4.2-2026-jul
1.3.4-2026-jul
1.3.3-2026-jul
All 2 Release Notes
Magento Open Source 2.4.9-2026-jul
2.4.8-2026-jul
2.4.7-2026-jul
2.4.6-2026-jul
All 2 Release Notes
Adobe Commerce Events 1.21.0 All 2 Upgrade Modules and Extensions

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
CVE number(s) Notes
Unrestricted Upload of File with Dangerous Type (CWE-434) Privilege escalation Critical No No 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L CVE-2026-48356  
Improper Encoding or Escaping of Output (CWE-116) Arbitrary code execution Critical Yes Yes 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2026-48358 Applies to webhooks only
Cross-site Scripting (Stored XSS) (CWE-79) Privilege escalation Critical Yes Yes 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVE-2026-47994  
Incorrect Authorization (CWE-863) Security feature bypass Critical No No 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVE-2026-47988  
Incorrect Authorization (CWE-863) Security feature bypass Critical No No 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVE-2026-47984  
Cross-site Scripting (Stored XSS) (CWE-79) Privilege escalation Critical Yes Yes 8.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N CVE-2026-47995 B2B
Incorrect Authorization (CWE-863) Security feature bypass Critical Yes Yes 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L CVE-2026-47996  
Improper Input Validation (CWE-20) Privilege escalation Critical Yes Yes 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2026-47992  
Incorrect Authorization (CWE-863) Security feature bypass Important No No 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-47997  
Incorrect Authorization (CWE-863) Security feature bypass Important No No 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-47998  
Cross-site Scripting (Stored XSS) (CWE-79) Arbitrary code execution Important Yes Yes 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2026-48371  
Cross-site Scripting (Stored XSS) (CWE-79) Arbitrary code execution Important Yes Yes 4.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2026-47999  
URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) Security feature bypass Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2026-48000  
Information Exposure (CWE-200) Security feature bypass Moderate No No 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-48001  
Note

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.


Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

  • 0x0.eth - CVE-2026-47984, CVE-2026-47996
  • T.H. Lassche - CVE-2026-47988
  • Sudhanshu Rajbhar (sudi) - CVE-2026-47992
  • wohlie - CVE-2026-47994, CVE-2026-47995, CVE-2026-48358
  • akashhamal0x01 - CVE-2026-47997, CVE-2026-47998, CVE-2026-48001
  • s (howtoplay) - CVE-2026-47999
  • schemonah - CVE-2026-48000
  • Tseng, Ching-Yen (shaber) - CVE-2026-48371

NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe.


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe, Inc.

Get help faster and easier

New user?