adobe logo tech background

On Tuesday, Adobe released security updates to fix a total of 254 vulnerabilities affecting its software products, with the majority impacting Adobe Experience Manager (AEM).

Out of the 254 vulnerabilities, 225 are found in AEM, affecting both the AEM Cloud Service (CS) and all versions up to and including 6.5.22. These issues have been resolved in AEM Cloud Service Release 2025.5 and version 6.5.23.

According to Adobe's advisory, "Successful exploitation of these vulnerabilities could lead to arbitrary code execution, privilege escalation, and security feature bypass."

Nearly all of the 225 vulnerabilities are classified as cross-site scripting (XSS) vulnerabilities, specifically a combination of stored XSS and DOM-based XSS, which could be exploited to achieve arbitrary code execution.

Adobe has acknowledged security researchers Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi for discovering and reporting these XSS vulnerabilities.

Among the most critical flaws addressed in this month's update is a code execution vulnerability in Adobe Commerce and Magento Open Source. The critical vulnerability, identified as CVE-2025-47110 (CVSS score: 9.1), is a reflected XSS vulnerability that could allow for arbitrary code execution. Additionally, an improper authorization flaw (CVE-2025-43585, CVSS score: 8.2) that could lead to a security feature bypass has also been fixed.

The following versions are affected:

Adobe Commerce: 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier Adobe Commerce B2B: 1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier Magento Open Source: 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier Additionally, four updates address code execution flaws in Adobe InCopy (CVE-2025-30327, CVE-2025-47107, CVSS scores: 7.8) and Substance 3D Sampler (CVE-2025-43581, CVE-2025-43588, CVSS scores: 7.8).

While none of these vulnerabilities have been reported as publicly known or exploited in the wild, users are strongly advised to update their software to the latest versions to protect against potential threats.