Description
Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
Problem types
Server-Side Request Forgery (SSRF) (CWE-918)
Product status
Any version
2026.6.0 (custom)
Any version
SP2 - Hotfix for NPR-43972 (custom)
Any version
6.5.25 - Hotfix for NPR-43972 (custom)
References
helpx.adobe.com/...roducts/experience-manager/apsb26-74.html