Adobe threat watch

Adobe product CVE coverage from NVD — Acrobat, Photoshop, Commerce/Magento, and Creative Cloud components.

Vendor watch hub

What this page covers

The Adobewatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.

Confirm whether recent Adobe activity overlaps with your environment.
Prioritize advisories by MSP-relevance score, severity, and status.
Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.

At a glance

Tracked

925

Active

Featured

363

Unique CVEs

Most recent entry

May 19, 2026, 7:00 PM

Feed refreshes daily · 5:15 a.m. Central

Sources·CISA KEV and NVD (product vendor coverage)

"Most recent entry" is the newest item the upstream feed has published — not our sync time.

Watch items

Recent Adobe watch items

Showing the 20 most recent items, newest first. Each row links to the official advisory.

20 rows · sorted newest first

Operations view

Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability

critical

activeCISA KEVCVE-2009-3459

Adobe Acrobat and Reader contain a heap-based buffer overflow vulnerability which could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.

May 19, 2026, 7:00 PMOfficial source

after effects vulnerability (CVE-2026-34690)

HIGH

watchNVDCVE-2026-34690

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34686)

HIGH

watchNVDCVE-2026-34686

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

May 12, 2026, 3:16 PMOfficial source

c2pa vulnerability (CVE-2026-34665)

HIGH

watchNVDCVE-2026-34665

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34653)

HIGH

watchNVDCVE-2026-34653

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34652)

HIGH

watchNVDCVE-2026-34652

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34651)

HIGH

watchNVDCVE-2026-34651

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34650)

HIGH

watchNVDCVE-2026-34650

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34649)

HIGH

watchNVDCVE-2026-34649

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34648)

HIGH

watchNVDCVE-2026-34648

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34647)

HIGH

watchNVDCVE-2026-34647

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34646)

HIGH

watchNVDCVE-2026-34646

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

May 12, 2026, 3:16 PMOfficial source

commerce vulnerability (CVE-2026-34645)

HIGH

watchNVDCVE-2026-34645

May 12, 2026, 3:16 PMOfficial source

substance 3d designer vulnerability (CVE-2026-34684)

HIGH

watchNVDCVE-2026-34684

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

May 12, 2026, 2:16 PMOfficial source

substance 3d designer vulnerability (CVE-2026-34683)

HIGH

watchNVDCVE-2026-34683

May 12, 2026, 2:16 PMOfficial source

substance 3d designer vulnerability (CVE-2026-34682)

HIGH

watchNVDCVE-2026-34682

May 12, 2026, 2:16 PMOfficial source

substance 3d designer vulnerability (CVE-2026-34681)

HIGH

watchNVDCVE-2026-34681

May 12, 2026, 2:16 PMOfficial source

connect desktop application vulnerability (CVE-2026-34660)

CRITICAL

watchNVDCVE-2026-34660

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

May 12, 2026, 2:16 PMOfficial source

connect desktop application vulnerability (CVE-2026-34659)

CRITICAL

watchNVDCVE-2026-34659

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

May 12, 2026, 2:16 PMOfficial source

illustrator vulnerability (CVE-2026-34687)

HIGH

watchNVDCVE-2026-34687

Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

May 12, 2026, 1:17 PMOfficial source

Alert	Exposure	Status	Published	Source
Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a heap-based buffer overflow vulnerability which could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption. Acrobat and Reader	criticalCVE-2009-3459 Critical	active	May 19, 2026, 7:00 PM	CISA KEVOpen source
after effects vulnerability (CVE-2026-34690) After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. after effects	HIGHCVE-2026-34690 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34686) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed. commerce	HIGHCVE-2026-34686 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
c2pa vulnerability (CVE-2026-34665) CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. c2pa	HIGHCVE-2026-34665 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34653) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed. commerce	HIGHCVE-2026-34653 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34652) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. commerce	HIGHCVE-2026-34652 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34651) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. commerce	HIGHCVE-2026-34651 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34650) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. commerce	HIGHCVE-2026-34650 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34649) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. commerce	HIGHCVE-2026-34649 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34648) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. commerce	HIGHCVE-2026-34648 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34647) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed. commerce	HIGHCVE-2026-34647 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34646) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. commerce	HIGHCVE-2026-34646 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
commerce vulnerability (CVE-2026-34645) Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. commerce	HIGHCVE-2026-34645 Watch	watch	May 12, 2026, 3:16 PM	NVDOpen source
substance 3d designer vulnerability (CVE-2026-34684) Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. substance 3d designer	HIGHCVE-2026-34684 Watch	watch	May 12, 2026, 2:16 PM	NVDOpen source
substance 3d designer vulnerability (CVE-2026-34683) Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. substance 3d designer	HIGHCVE-2026-34683 Watch	watch	May 12, 2026, 2:16 PM	NVDOpen source
substance 3d designer vulnerability (CVE-2026-34682) Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. substance 3d designer	HIGHCVE-2026-34682 Watch	watch	May 12, 2026, 2:16 PM	NVDOpen source
substance 3d designer vulnerability (CVE-2026-34681) Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. substance 3d designer	HIGHCVE-2026-34681 Watch	watch	May 12, 2026, 2:16 PM	NVDOpen source
connect desktop application vulnerability (CVE-2026-34660) Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed. connect desktop application	CRITICALCVE-2026-34660 Watch	watch	May 12, 2026, 2:16 PM	NVDOpen source
connect desktop application vulnerability (CVE-2026-34659) Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed. connect desktop application	CRITICALCVE-2026-34659 Watch	watch	May 12, 2026, 2:16 PM	NVDOpen source
illustrator vulnerability (CVE-2026-34687) Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. illustrator	HIGHCVE-2026-34687 Watch	watch	May 12, 2026, 1:17 PM	NVDOpen source

Related vendors

Other productivity vendors in the radar

Google Workspace Microsoft Apple Oracle Google Mozilla Atlassian Dell

ITECS response pathways

Turn the Adobe watch feed into an action plan

These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.

Cybersecurity services

Use the cybersecurity services pathway when this vendor alert needs an ITECS-managed response plan.

Cybersecurity services

Connect the vendor watch page to broader managed detection, response, and governance planning.

Cybersecurity assessment

Translate current watch items into a faster risk snapshot and prioritized remediation plan.

Threat Radar hub

Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.

Vendor watch FAQ

Common questions

What is the Adobe threat watch page?

It is the Adobe-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.

How should teams use the Adobe watch page?

Use it to confirm whether current Adobe issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.

Can ITECS help respond to Adobe security issues?

Yes. ITECS can help map Adobe advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.

Back to Threat Radar hub Cybersecurity services