{"api_version":"1","generated_at":"2026-07-15T12:50:30+00:00","cve":"CVE-2026-48358","urls":{"html":"https://cve.report/CVE-2026-48358","api":"https://cve.report/api/cve/CVE-2026-48358.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48358","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48358"},"summary":{"title":"Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116)","description":"Adobe Commerce is affected by an Improper Encoding or Escaping of Output vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.","state":"PUBLISHED","assigner":"adobe","published_at":"2026-07-14 20:17:08","updated_at":"2026-07-15 11:16:29"},"problem_types":["CWE-116","CWE-116 Improper Encoding or Escaping of Output (CWE-116)"],"metrics":[{"version":"3.1","source":"psirt@adobe.com","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","availabilityRequirement":"NOT_DEFINED","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"HIGH","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":9.1,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://helpx.adobe.com/security/products/magento/apsb26-73.html","name":"https://helpx.adobe.com/security/products/magento/apsb26-73.html","refsource":"psirt@adobe.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48358","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48358","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Adobe","product":"Adobe Commerce","version":"affected 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18 semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"Adobe Commerce","version":"unaffected 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, 2.4.4-2026-jul semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"Adobe Commerce B2B","version":"affected 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18 semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"Adobe Commerce B2B","version":"unaffected 1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, 1.3.3-2026-jul semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"Magento Open Source","version":"affected 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15 semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"Magento Open Source","version":"unaffected 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"Adobe Commerce Webhooks Plugin","version":"affected 1.20.0 semver","platforms":[]},{"source":"CNA","vendor":"Adobe","product":"Adobe Commerce Webhooks Plugin","version":"unaffected 1.21.0 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-48358","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-15T04:01:08.797969Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-15T10:27:07.982Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"affected","product":"Adobe Commerce","vendor":"Adobe","versions":[{"lessThanOrEqual":"2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, 2.4.4-2026-jul","versionType":"semver"}]},{"defaultStatus":"affected","product":"Adobe Commerce B2B","vendor":"Adobe","versions":[{"lessThanOrEqual":"1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, 1.3.3-2026-jul","versionType":"semver"}]},{"defaultStatus":"affected","product":"Magento Open Source","vendor":"Adobe","versions":[{"lessThanOrEqual":"2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul","versionType":"semver"}]},{"defaultStatus":"affected","product":"Adobe Commerce Webhooks Plugin","vendor":"Adobe","versions":[{"lessThanOrEqual":"1.20.0","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"1.21.0","versionType":"semver"}]}],"datePublic":"2026-07-14T17:00:00.000Z","descriptions":[{"lang":"en","value":"Adobe Commerce is affected by an Improper Encoding or Escaping of Output vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","availabilityRequirement":"NOT_DEFINED","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"HIGH","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":9.1,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-116","description":"Improper Encoding or Escaping of Output (CWE-116)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T19:44:17.756Z","orgId":"078d4453-3bcd-4900-85e6-15281da43538","shortName":"adobe"},"references":[{"tags":["vendor-advisory"],"url":"https://helpx.adobe.com/security/products/magento/apsb26-73.html"}],"source":{"discovery":"EXTERNAL"},"title":"Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116)","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"078d4453-3bcd-4900-85e6-15281da43538","assignerShortName":"adobe","cveId":"CVE-2026-48358","datePublished":"2026-07-14T19:44:17.756Z","dateReserved":"2026-05-21T15:28:38.140Z","dateUpdated":"2026-07-15T10:27:07.982Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 20:17:08","lastModifiedDate":"2026-07-15 11:16:29","problem_types":["CWE-116","CWE-116 Improper Encoding or Escaping of Output (CWE-116)"],"metrics":{"cvssMetricV31":[{"source":"psirt@adobe.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-15T04:01:08.797969Z","id":"CVE-2026-48358","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48358","Ordinal":"1","Title":"Adobe Commerce | Improper Encoding or Escaping of Output (CWE-11","CVE":"CVE-2026-48358","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48358","Ordinal":"1","NoteData":"Adobe Commerce is affected by an Improper Encoding or Escaping of Output vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.","Type":"Description","Title":"Adobe Commerce | Improper Encoding or Escaping of Output (CWE-11"}]}}}