Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-48000— Adobe Commerce | URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

CVSS 4.3 · Medium EPSS 0.35% · P28

Affected Version Matrix 8

VendorProductVersion RangeStatus
AdobeAdobe Commerce≤ 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18affected
2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, 2.4.4-2026-julunaffected
AdobeAdobe Commerce B2B≤ 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18affected
1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, 1.3.3-2026-julunaffected
AdobeAdobe Commerce Webhooks Plugin≤ 1.20.0affected
1.21.0unaffected
AdobeMagento Open Source≤ 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15affected
2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-julunaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48000

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Adobe Commerce | URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Adobe Commerce 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
adobe commerce是美国Adobe公司的一种面向商家和品牌的全球领先的数字商务解决方案。 Adobe Commerce存在输入验证错误漏洞,该漏洞源于受不当重定向影响,可能导致安全功能被绕过。以下版本受到影响:Adobe Commerce 2.4.9及之前版本、2.4.8-p5及之前版本、2.4.7-p10及之前版本、2.4.6-p15及之前版本、2.4.5-p17及之前版本和2.4.4-p18及之前版本;Adobe Commerce B2B 1.5.3及之前版本、1.5.2-p5及之前版本、1
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
AdobeAdobe Commerce 0 ~ 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18 -
AdobeAdobe Commerce B2B 0 ~ 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18 -
AdobeMagento Open Source 0 ~ 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15 -
AdobeAdobe Commerce Webhooks Plugin 0 ~ 1.20.0 -

II. Public POCs for CVE-2026-48000

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-48000

登录查看更多情报信息。

Vendor Advisories for CVE-2026-48000 (1)

Same Patch Batch · Adobe · 2026-07-14 · 88 CVEs total

CVE-2026-483189.9 CRITICALColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'
CVE-2026-482849.6 CRITICALColdFusion | Improper Input Validation (CWE-20)
CVE-2026-483229.6 CRITICALColdFusion | Improper Control of Generation of Code ('Code Injection') (CWE-94)
CVE-2026-483569.6 CRITICALAdobe Commerce | Unrestricted Upload of File with Dangerous Type (CWE-434)
CVE-2026-483599.6 CRITICALAdobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (
CVE-2026-482599.6 CRITICALAdobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)
CVE-2026-483349.3 CRITICALIllustrator | Improper Input Validation (CWE-20)
CVE-2026-483219.3 CRITICALColdFusion | Incorrect Authorization (CWE-863)
CVE-2026-483259.3 CRITICALColdFusion | Missing Authentication for Critical Function (CWE-306)
CVE-2026-483249.1 CRITICALColdFusion | Improper Neutralization of Special Elements used in an SQL Command ('SQL Inje
CVE-2026-483199.1 CRITICALColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'
CVE-2026-483589.1 CRITICALAdobe Commerce | Improper Encoding or Escaping of Output (CWE-116)
CVE-2026-483279.0 CRITICALColdFusion | Incorrect Authorization (CWE-863)
CVE-2026-479948.7 HIGHAdobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
CVE-2026-483108.6 HIGHAdobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory ('P
CVE-2026-483508.6 HIGHAnimate | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (
CVE-2026-479888.6 HIGHAdobe Commerce | Incorrect Authorization (CWE-863)
CVE-2026-482528.6 HIGHAdobe Experience Manager | Missing Authentication for Critical Function (CWE-306)
CVE-2026-482758.6 HIGHIllustrator | Untrusted Search Path (CWE-426)
CVE-2026-483208.5 HIGHColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)

Showing top 20 of 88 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-48000

No comments yet


Leave a comment