Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116)
Summary
| CVE | CVE-2026-48358 |
|---|---|
| State | PUBLISHED |
| Assigner | adobe |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-14 20:17:08 UTC |
| Updated | 2026-07-15 11:16:29 UTC |
| Description | Adobe Commerce is affected by an Improper Encoding or Escaping of Output vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Problem Types: CWE-116 | CWE-116 Improper Encoding or Escaping of Output (CWE-116)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
HighUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Adobe | Adobe Commerce | affected 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18 semver | Not specified |
| CNA | Adobe | Adobe Commerce | unaffected 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, 2.4.4-2026-jul semver | Not specified |
| CNA | Adobe | Adobe Commerce B2B | affected 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18 semver | Not specified |
| CNA | Adobe | Adobe Commerce B2B | unaffected 1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, 1.3.3-2026-jul semver | Not specified |
| CNA | Adobe | Magento Open Source | affected 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15 semver | Not specified |
| CNA | Adobe | Magento Open Source | unaffected 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul semver | Not specified |
| CNA | Adobe | Adobe Commerce Webhooks Plugin | affected 1.20.0 semver | Not specified |
| CNA | Adobe | Adobe Commerce Webhooks Plugin | unaffected 1.21.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| helpx.adobe.com/security/products/magento/apsb26-73.html | [email protected] | helpx.adobe.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.