Adobe on Tuesday announced patches for over 35 vulnerabilities in its products, including a critical-severity bug in the Adobe Connect collaboration suite.
The critical flaw, tracked as CVE-2025-49553 (CVSS score of 9.3), is described as a cross-site scripting (XSS) issue that could be exploited to execute arbitrary code.
Fixes for the security defect were included in Adobe Connect version 12.10 which has been rolled out to Windows and macOS systems with patches for two other flaws, including a high-severity XSS bug leading to code execution.
The company patched another high-severity XSS issue in Commerce and Magento Open Source, warning it could lead to privilege escalation. The updates also resolve a high-severity security bypass, along with three medium-severity defects leading to code execution, privilege escalation, and protection bypass.
High-severity vulnerabilities that could lead to arbitrary code execution, all with a CVSS score of 7.8, were addressed with security updates for Substance 3D Stager, Dimension, Illustrator, FrameMaker, Substance 3D Modeler, Substance 3D Viewer, Animate, and Bridge.
Although these issues have CVSS scores that place them in the ‘high severity’ category, Adobe lists them in its advisories as ‘critical’.
Adobe’s updates for Experience Manager Screens, Animate, Substance 3D Viewer, Bridge, and Creative Cloud Desktop Application resolve a total of eight medium-severity security holes.
Adobe lists most of these security updates with a priority rating of ‘3’, meaning that it does not expect the patched bugs to be targeted in attacks, but increases the priority rating of the Commerce and Magento Open Source update to ‘2’, as these are products that have historically been at elevated risk.
The company says it is not aware of any of these issues being exploited in the wild, but users should apply the available patches as soon as possible. Additional information can be found on Adobe’s PSIRT page.
Related: Adobe Patches Critical ColdFusion and Commerce Vulnerabilities
Related: Adobe Patches Over 60 Vulnerabilities Across 13 Products
Related: Adobe Issues Out-of-Band Patches for AEM Forms Vulnerabilities With Public PoC
