Adobe pushed security updates on Tuesday to address a total of 254 security flaws affecting software products.
Of the 254 defects, 225 are resident of AEM and affect all versions, including AEM Cloud Services (CS) and 6.5.22. This issue was resolved in AEM Cloud Services release 2025.5 and version 6.5.23.
“The success of exploitation of these vulnerabilities can lead to arbitrary code execution, privilege escalation, and security feature bypass,” Adobe said in its advisory.
Almost all 225 vulnerabilities are classified as cross-site scripting (XSS) vulnerabilities, particularly as mixtures of stored and DOM-based XSS, which can be exploited to achieve arbitrary code execution.
Adobe praised security researchers Jim Green (Green-Jam), Akshay Sharma (Anonymous_blackzero), and LPI for discovering and reporting defects in the XSS.
The most serious flaws the company patched as part of this month’s update is about open source code execution flaws in Adobe Commerce and Magento.
CVE-2025-47110 (CVSS score: 9.1) is a vulnerability in XSS that can result in arbitrary code execution. Inappropriate approval flaws (CVE-2025-43585, CVSS score: 8.2) that could lead to security feature bypassing are also addressed.
The following versions are affected –
- Adobe Commerce (2.4.8, 2.4.7-P5 and earlier, 2.4.6-P10 and earlier, 2.4.5-P12 and earlier, 2.4.4-P13 and earlier)
- Adobe Commerce B2B (1.5.2 or earlier, 1.4.2-P5 or earlier, 1.3.5-P10 or earlier, 1.3.4-P12 or earlier, 1.3.3-P13 or earlier)
- Magento Open Source (2.4.8, 2.4.7-P5 and earlier, 2.4.6-P10 and earlier, 2.4.5-P12 and earlier)
Of the remaining updates, four are related to code execution flaws in Adobe Incpy (CVE-2025-30327, CVE-2025-47107, CVSS score: 7.8) and Sustance 3D sampler (CVE-2025-43581, CVE-2025-43588, CVS SCORES: 7.8).
None of the bugs are listed as being exposed or exploited in the wild, but users are advised to update their instances to the latest version to prevent potential threats.
