[ad_1]
Adobe on Tuesday pushed safety updates to deal with a complete of 254 safety flaws impacting its software program merchandise, a majority of which have an effect on Experience Manager (AEM).
Of the 254 flaws, 225 reside in AEM, impacting AEM Cloud Service (CS) in addition to all variations previous to and together with 6.5.22. The points have been resolved in AEM Cloud Service Release 2025.5 and model 6.5.23.
“Successful exploitation of those vulnerabilities might lead to arbitrary code execution, privilege escalation, and safety characteristic bypass,” Adobe stated in an advisory.
Almost all of the 225 vulnerabilities have been labeled as cross-site scripting (XSS) vulnerabilities, particularly a mixture of saved XSS and DOM-based XSS, that might be exploited to attain arbitrary code execution.
Adobe has credited safety researchers Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi for locating and reporting the XSS flaws.
The most extreme of the issues patched by the corporate as a part of this month’s replace issues a code execution flaw in Adobe Commerce and Magento Open Source.
The critical-rated vulnerability, CVE-2025-47110 (CVSS rating: 9.1) is a mirrored XSS vulnerability that would lead to arbitrary code execution. Also addressed is an improper authorization flaw (CVE-2025-43585, CVSS rating: 8.2) that would result in a safety characteristic bypass.
The following variations are impacted –
- Adobe Commerce (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and a couple of.4.4-p13 and earlier)
- Adobe Commerce B2B (1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier)
- Magento Open Source (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier)
Of the remaining updates, 4 relate to code execution flaws in Adobe InCopy (CVE-2025-30327, CVE-2025-47107, CVSS scores: 7.8) and Substance 3D Sampler (CVE-2025-43581, CVE-2025-43588, CVSS scores: 7.8).
While not one of the bugs have been listed as publicly identified or exploited within the wild, customers are suggested to replace their situations to the most recent model to safeguard towards potential threats.