Bollettino 115/2026

descrizione

Adobe ha pubblicato aggiornamenti di sicurezza che correggono vulnerabilità su un ampio insieme di prodotti: ColdFusion, Adobe Campaign Classic (ACC), Adobe Experience Manager (AEM) e AEM Forms JEE, Acrobat/Reader, InDesign Desktop, InCopy, Dreamweaver Desktop, Substance3D Sampler, CAI Content Credentials e Format Plugins.

Le vulnerabilità di maggiore severità riguardano ColdFusion (Improper Input Validation CWE-20, Path Traversal CWE-22, Incorrect Authorization CWE-863, XXE CWE-611, Stored XSS CWE-79) e Adobe Campaign Classic (SSRF CWE-918, Incorrect Authorization CWE-863), con CVSS fino a 10.0 e priority classificata critical.

Acrobat/Reader presenta un cluster omogeneo di vulnerabilità Use After Free (CWE-416), Out-of-bounds Write (CWE-787) e Stack-based Buffer Overflow (CWE-121), tutte con outcome di arbitrary code execution nel contesto dell'utente corrente. Pattern analogo su InDesign Desktop e InCopy, con l'aggiunta di Heap-based Buffer Overflow (CWE-122) e Out-of-bounds Write (CWE-787).

Adobe Experience Manager e AEM Forms JEE concentrano un numero elevato di vulnerabilità XSS (stored, reflected e DOM-based, CWE-79), oltre a Improper Input Validation (CWE-20) e Open Redirect (CWE-601). CAI Content Credentials è affetta da Integer Overflow (CWE-190), Improper Input Validation (CWE-20), Uncontrolled Resource Consumption (CWE-400) e Path Traversal (CWE-22). Dreamweaver Desktop presenta Dependency on Vulnerable Third-Party Component (CWE-1395), Improper Access Control (CWE-284), Access of Uninitialized Pointer (CWE-824) e Incorrect Authorization (CWE-863).

note

Le CVE con priority critical più elevata sono concentrate su Adobe Campaign Classic e ColdFusion.

CVE-2026-48303 (ACC, Incorrect Authorization, CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C) è sfruttabile remotamente senza autenticazione né interazione utente, con scope Changed: l'impatto si estende oltre il processo corrente. È la CVE con priority_score più alto del set (18.28). CVE-2026-47938 (ACC, SSRF, CVSS 10.0, stesso vettore) condivide le medesime caratteristiche di sfruttabilità e scope.

CVE-2026-47928 (ColdFusion, Improper Input Validation, CVSS 10.0) ha vettore AV:A: richiede accesso alla rete adiacente, AC:L, PR:N, UI:N, S:C. Arbitrary code execution con scope Changed. CVE-2026-47930 (ColdFusion, Improper Input Validation, CVSS 8, AV:N/AC:L/PR:L) è sfruttabile remotamente con privilegi bassi, esito security feature bypass. CVE-2026-47931 (ColdFusion, Improper Input Validation, CVSS 8, AV:A/PR:H/S:C) richiede accesso adiacente e privilegi elevati ma ha scope Changed. CVE-2026-47932 (ColdFusion, Path Traversal, CVSS 9, AV:A/AC:L/PR:N/UI:R/S:C) richiede interazione utente, scope Changed, security feature bypass. CVE-2026-47960 (ColdFusion, XXE, CVSS 7, AV:N/AC:L/PR:N/UI:R/S:C) sfruttabile remotamente senza autenticazione con interazione utente, scope Changed, arbitrary file system read. CVE-2026-47929 (ColdFusion, Incorrect Authorization, CVSS 8, AV:A/PR:H) richiede accesso adiacente e privilegi alti.

AEM Forms JEE: CVE-2026-34691 (Stored XSS, CVSS 9, AV:N/PR:N/UI:R/S:C) non richiede autenticazione, scope Changed. CVE-2026-34693 (Reflected XSS, CVSS 8, AV:N/AC:H/PR:N/UI:R/S:C) richiede alta complessità. CVE-2026-34694 (Stored XSS, CVSS 6, AV:N/PR:H/UI:R/S:C) richiede privilegi elevati.

Acrobat/Reader (versioni ≤ 26.001.21651 e ≤ 24.001.30365): il cluster Use After Free (CVE-2026-47912 – CVE-2026-47921, CVE-2026-47955) presenta vettore AV:L/AC:L/PR:N/UI:R/S:U, arbitrary code execution nel contesto utente corrente, priority high. CVE-2026-47924 (UAF) e CVE-2026-47923, CVE-2026-47926 (OOB Read) hanno outcome di disclosure di memoria sensitiva, CVSS 6. CVE-2026-47925 (Integer Overflow) causa DoS applicativo.

InDesign Desktop (versioni < 21.4 nel ramo 21.x e < 20.5.4 nel ramo 20.x) e InCopy (stessi range): tutte le CVE hanno vettore AV:L/AC:L/PR:N/UI:R/S:U, arbitrary code execution, priority high. Impattano macOS e Windows. Le NULL Pointer Dereference (CVE-2026-34703, CVE-2026-34704) hanno outcome DoS applicativo.

Dreamweaver Desktop (≤ 21.7): CVE-2026-47906 (CWE-1395, CVSS 9, AV:L/S:C) ha scope Changed. CVE-2026-47907 (CWE-284, CVSS 8, AV:L/S:C) porta ad arbitrary file system read con scope Changed. CVE-2026-47908 (CWE-824, CVSS 8, AV:L/S:U) arbitrary code execution. CVE-2026-47909 (CWE-20, CVSS 6, AV:L/S:C) e CVE-2026-47910 (CWE-863, CVSS 6, AV:L/S:C) arbitrary file system read con scope Changed.

CAI Content Credentials (≤ c2pa-v0.80.1): CVE-2026-34711 (Integer Overflow, CVSS 8) e CVE-2026-34712 (Improper Input Validation, CVSS 8) sono sfruttabili remotamente (AV:N/AC:L/PR:N/UI:N/S:U), impatto DoS (A:H). CVE-2026-34713 (Uncontrolled Resource Consumption, CVSS 8, AV:N) analogo. CVE-2026-34657 (Path Traversal, CVSS 6, AV:L) arbitrary file system write, priority medium. Le CVE locali (CVE-2026-47902–CVE-2026-47905) hanno vettore AV:L/UI:N, DoS, priority medium.

AEM (≤ 2026.04 / ≤ 6.5.24): il cluster XSS (stored e DOM-based) presenta uniformemente AV:N/AC:L/PR:L/UI:R/S:C, priority medium. CVE-2026-47991 (Open Redirect, CVSS 4, AV:N/PR:N/UI:R) potenziale account takeover. CVE-2026-48288 e CVE-2026-48289 (Improper Input Validation, CVSS 4) security feature bypass, AV:N/PR:L.

Format Plugins (≤ 1.1.2): CVE-2026-48291 e CVE-2026-48292 (Heap-based Buffer Overflow, CVSS 8, AV:L/UI:R/S:U) arbitrary code execution, priority high.

Non risultano a oggi CVE nel catalogo CISA KEV, exploit in the wild o proof-of-concept pubblici.

CVE

CVE	CVSS	EPSS	priority
CVE-2026-48303	3.1: 10.0	0.498% \| 66.35%	critical
CVE-2026-47938	3.1: 10.0	0.094% \| 26.17%	critical
CVE-2026-34691	3.1: 9.0	0.097% \| 26.73%	critical
CVE-2026-34712	3.1: 8.0	0.107% \| 28.43%	critical
CVE-2026-34693	3.1: 8.0	0.097% \| 26.73%	critical
CVE-2026-47930	3.1: 8.0	0.074% \| 22.56%	critical
CVE-2026-34711	3.1: 8.0	0.072% \| 22.05%	critical
CVE-2026-47928	3.1: 10.0	0.036% \| 11.01%	critical
CVE-2026-47960	3.1: 7.0	0.112% \| 29.34%	critical
CVE-2026-47931	3.1: 8.0	0.043% \| 13.55%	critical
CVE-2026-34713	3.1: 8.0	0.039% \| 12.07%	high
CVE-2026-34696	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47912	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47913	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47914	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47915	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47916	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47917	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47918	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47919	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47920	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47921	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47955	3.1: 8.0	0.033% \| 10.03%	high
CVE-2026-47906	3.1: 9.0	0.025% \| 7.41%	high
CVE-2026-47932	3.1: 9.0	0.024% \| 7.23%	high
CVE-2026-34694	3.1: 6.0	0.057% \| 18.12%	high
CVE-2026-47907	3.1: 8.0	0.026% \| 7.92%	high
CVE-2026-34695	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34697	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34698	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34699	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34700	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34701	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34702	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34706	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34707	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34708	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34709	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-34710	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-47908	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-47911	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-47959	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-48291	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-48292	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-48293	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-48305	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-48306	3.1: 8.0	0.025% \| 7.41%	high
CVE-2026-47929	3.1: 8.0	0.020% \| 5.77%	high
CVE-2026-47909	3.1: 6.0	0.031% \| 9.56%	high
CVE-2026-47924	3.1: 6.0	0.027% \| 8.05%	medium
CVE-2026-47903	3.1: 6.0	0.026% \| 7.91%	medium
CVE-2026-47933	3.1: 5.0	0.038% \| 11.66%	medium
CVE-2026-34657	3.1: 6.0	0.024% \| 7.13%	medium
CVE-2026-48288	3.1: 4.0	0.064% \| 20.09%	medium
CVE-2026-48289	3.1: 4.0	0.064% \| 20.09%	medium
CVE-2026-34705	3.1: 6.0	0.022% \| 6.42%	medium
CVE-2026-47923	3.1: 6.0	0.022% \| 6.42%	medium
CVE-2026-47926	3.1: 6.0	0.022% \| 6.42%	medium
CVE-2026-47910	3.1: 6.0	0.022% \| 6.36%	medium
CVE-2026-47935	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47936	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47939	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47941	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47942	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47943	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47944	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47945	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47946	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47947	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47948	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47949	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47950	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47951	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47953	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47954	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47956	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47957	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47958	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47962	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47966	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47970	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47972	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47973	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47974	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47975	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47977	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47978	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47980	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47981	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47982	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47983	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47985	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47986	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47987	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47989	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47990	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-47993	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48250	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48251	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48256	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48258	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48264	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48265	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48266	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48268	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48271	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48280	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48297	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48299	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48300	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48301	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-48304	3.1: 5.0	0.030% \| 9.16%	medium
CVE-2026-34692	3.1: 5.0	0.029% \| 8.79%	medium
CVE-2026-34703	3.1: 6.0	0.018% \| 4.84%	medium
CVE-2026-34704	3.1: 6.0	0.018% \| 4.84%	medium
CVE-2026-47902	3.1: 6.0	0.018% \| 4.84%	medium
CVE-2026-47904	3.1: 6.0	0.018% \| 4.84%	medium
CVE-2026-47905	3.1: 6.0	0.018% \| 4.84%	medium
CVE-2026-47925	3.1: 6.0	0.018% \| 4.84%	medium
CVE-2026-47991	3.1: 4.0	0.041% \| 12.75%	medium

NOTA: Le vulnerabilità sono ordinate per priorità operativa, calcolata combinando la gravità teorica (CVSS) con la probabilità reale di sfruttamento (EPSS).

tipi di attacco

CWE	descrizione
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')
CWE-20	Improper Input Validation
CWE-121	Stack-based Buffer Overflow
CWE-416	Use After Free
CWE-122	Heap-based Buffer Overflow
CWE-787	Out-of-bounds Write
CWE-476	NULL Pointer Dereference
CWE-125	Out-of-bounds Read
CWE-190	Integer Overflow or Wraparound
CWE-400	Uncontrolled Resource Consumption
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1395	Dependency on Vulnerable Third-Party Component
CWE-284	Improper Access Control
CWE-824	Access of Uninitialized Pointer
CWE-863	Incorrect Authorization
CWE-611	Improper Restriction of XML External Entity Reference
CWE-918	Server-Side Request Forgery (SSRF)

prodotti impattati

vendor	prodotto & versioni
Adobe	acrobat reader 26.001.21651 adobe campaign classic (acc) 7.4.3 build 9394 adobe experience manager 2026.04 adobe experience manager forms jee 6.5.24.0 cai content credentials c2pa-v0.80.1 coldfusion 2025.8 dreamweaver desktop 21.7 experience manager SW: aem_cloud_service 2026.5.0 SW: lts 6.5 Patch: sp1 SW: lts 6.5 Patch: - SW: - 6.5.25.0 format plugins 1.1.2 incopy Da: 21.0 A: 21.4 20.5.4 indesign Da: 21.0 A: 21.4 20.5.4 indesign desktop 20.5.3 substance 3d sampler 6.0.1

vendor

prodotto & versioni

Adobe

acrobat reader