CVE-2026-48359
Adobe · Experience Manager
Adobe Experience Manager is vulnerable to XML External Entity injection, which allows authenticated, low-privileged attackers to read sensitive files and potentially execute arbitrary code.
Executive summary
A critical XML External Entity vulnerability in Adobe Experience Manager enables low-privileged attackers to access sensitive system files and achieve arbitrary code execution.
Vulnerability
This vulnerability is an Improper Restriction of XML External Entity Reference (CWE-611). An authenticated, low-privileged attacker can submit malicious XML input to trigger the parsing of external entities, leading to unauthorized file access and potential code execution.
Business impact
Successful exploitation permits an attacker to read arbitrary files from the file system, which may include configuration files, credentials, or sensitive business data. The CVSS score of 9.6 underscores the critical threat to system integrity and confidentiality, as the vulnerability allows for escalated access and control in the affected environment.
Remediation
Immediate Action: Upgrade to the patched versions: Adobe Experience Manager as a Cloud Service 2026.6.0, Adobe Experience Manager 6.5 LTS SP2 (with Hotfix for NPR-43972), or Adobe Experience Manager 6.5.25 (with Hotfix for NPR-43972).
Proactive Monitoring: Monitor application logs for unexpected XML parsing errors or access attempts to sensitive system files.
Compensating Controls: Disable DTD (Document Type Definition) processing and external entity resolution in all XML parsers used by the application if immediate patching is not feasible.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability presents a high risk to organizational security and should be addressed as a priority. Administrators must apply the required vendor updates or hotfixes immediately to eliminate the threat posed by improper XML entity handling.