Description
Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in privilege escalation. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-09
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Campaign Classic versions 7.4.3 build 9394 and earlier are vulnerable to a Server‑Side Request Forgery (SSRF) flaw that can be exploited without any user interaction. The weakness allows an attacker to instruct the application to make arbitrary HTTP requests to internal or external resources, potentially exposing sensitive data or facilitating a privilege escalation scenario. The vulnerability is identified as CWE‑918 and is rated with a CVSS of 10, indicating a critical level of risk.

Affected Systems

Adobe Campaign Classic (ACC) users running any build of version 7.4.3 or earlier are impacted. These builds should be upgraded to the latest patch level released by Adobe, which addresses the SSRF condition and associated privilege escalation.

Risk and Exploitability

The exploit requires no user action and leverages the application's outbound request capability, making remote exploitation straightforward for attackers with network access to the ACC instance. With a CVSS score of 10, the flaw is considered critical; the EPSS score is currently unavailable, so the probability of exploitation in the wild is unknown but cannot be assumed low. Adobe does not list this vulnerability in the CISA KEV catalog, yet its high severity warrants immediate remediation.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Campaign Classic patch that fixes the SSRF vulnerability.
  • Restrict the ACC instance’s outbound network traffic to only approved IP addresses or domains to limit potential attack surface.
  • Enable logging and monitoring of outbound HTTP requests to detect and investigate suspicious activity.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in privilege escalation. Exploitation of this issue does not require user interaction. Scope is changed.

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title Adobe Campaign Classic (ACC) | Server-Side Request Forgery (SSRF) (CWE-918)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T21:01:11.348Z

Reserved: 2026-05-20T15:50:31.362Z

Link: CVE-2026-47938

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:23.580

Modified: 2026-06-09T22:16:25.630

Link: CVE-2026-47938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses