Description
Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in privilege escalation. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-09
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Campaign Classic versions 7.4.3 build 9394 and earlier are vulnerable to a Server‑Side Request Forgery (SSRF) flaw that can be exploited without any user interaction. The weakness allows an attacker to instruct the application to make arbitrary HTTP requests to internal or external resources, potentially exposing sensitive data or facilitating a privilege escalation scenario. The vulnerability is identified as CWE‑918 and is rated with a CVSS of 10, indicating a critical level of risk.

Affected Systems

Adobe Campaign Classic (ACC) users running any build of version 7.4.3 or earlier are impacted. These builds should be upgraded to the latest patch level released by Adobe, which addresses the SSRF condition and associated privilege escalation.

Risk and Exploitability

The exploit requires no user action and leverages the application's outbound request capability, making remote exploitation straightforward for attackers with network access to the ACC instance. With a CVSS score of 10, the flaw is considered critical; the EPSS score is currently unavailable, so the probability of exploitation in the wild is unknown but cannot be assumed low. Adobe does not list this vulnerability in the CISA KEV catalog, yet its high severity warrants immediate remediation.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Campaign Classic patch that fixes the SSRF vulnerability.
  • Restrict the ACC instance’s outbound network traffic to only approved IP addresses or domains to limit potential attack surface.
  • Enable logging and monitoring of outbound HTTP requests to detect and investigate suspicious activity.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe campaign Classic
Vendors & Products Adobe
Adobe campaign Classic

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in privilege escalation. Exploitation of this issue does not require user interaction. Scope is changed.

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title Adobe Campaign Classic (ACC) | Server-Side Request Forgery (SSRF) (CWE-918)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Campaign Classic
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-10T14:22:13.296Z

Reserved: 2026-05-20T15:50:31.362Z

Link: CVE-2026-47938

cve-icon Vulnrichment

Updated: 2026-06-10T14:22:09.264Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T21:17:23.580

Modified: 2026-06-10T18:35:49.083

Link: CVE-2026-47938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:00:14Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)