Adobe on Tuesday pushed security updates to address a total of 254 security flaws impacting its software products, a majority of which affect Experience Manager (AEM).
Of the 254 flaws, 225 reside in AEM, impacting AEM Cloud Service (CS) as well as all versions prior to and including 6.5.22. The issues have been resolved in AEM Cloud Service Release 2025.5 and version 6.5.23.
“Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation, and security feature bypass,” Adobe said in an advisory.
Almost all the 225 vulnerabilities have been classified as cross-site scripting (XSS) vulnerabilities, specifically a mix of stored XSS and DOM-based XSS, that could be exploited to achieve arbitrary code execution.
Adobe has credited security researchers Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi for discovering and reporting the XSS flaws.
The most severe of the flaws patched by the company as part of this month’s update concerns a code execution flaw in Adobe Commerce and Magento Open Source.
The critical-rated vulnerability, CVE-2025-47110 (CVSS score: 9.1) is a reflected XSS vulnerability that could result in arbitrary code execution. Also addressed is an improper authorization flaw (CVE-2025-43585, CVSS score: 8.2) that could lead to a security feature bypass.
The following versions are impacted –
- Adobe Commerce (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier)
- Adobe Commerce B2B (1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier)
- Magento Open Source (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier)
Of the remaining updates, four relate to code execution flaws in Adobe InCopy (CVE-2025-30327, CVE-2025-47107, CVSS scores: 7.8) and Substance 3D Sampler (CVE-2025-43581, CVE-2025-43588, CVSS scores: 7.8).
While none of the bugs have been listed as publicly known or exploited in the wild, users are advised to update their instances to the latest version to safeguard against potential threats.
