Adobe releases March 2026 patches for multiple products
Take action: Prioritize patching of Adobe Commerce and Magento Open Source, which carry a Priority 2 rating with 19 vulnerabilities including 6 critical issues covering privilege escalation, security feature bypass, and arbitrary code execution. Then review the remaining Priority 3 advisories and update Illustrator, Acrobat and Reader, Premiere Pro, Experience Manager, Substance 3D Stager, Substance 3D Painter, and the DNG SDK.
Learn More
Adobe has released the March 2026 security updates patching vulnerabilities across multiple products. The updates address critical, important, and moderate vulnerabilities affecting Adobe Commerce, Magento Open Source, Illustrator, Acrobat and Reader, Premiere Pro, Experience Manager, Substance 3D Stager, Substance 3D Painter, and the DNG Software Development Kit that could lead to arbitrary code execution, privilege escalation, security feature bypass, memory exposure, arbitrary file system read, and application denial-of-service.
Adobe Commerce / Magento Open Source
Critical vulnerabilities
- CVE-2026-21361 (CVSS score 8.1) - Cross-site Scripting (Stored XSS) vulnerability that could lead to privilege escalation.
- CVE-2026-21284 (CVSS score 8.1) - Cross-site Scripting (Stored XSS) vulnerability that could lead to privilege escalation.
- CVE-2026-21289 (CVSS score 7.5) - Incorrect Authorization vulnerability that could lead to security feature bypass.
- CVE-2026-21290 (CVSS score 8.7) - Cross-site Scripting (Stored XSS) vulnerability that could lead to privilege escalation.
- CVE-2026-21311 (CVSS score 8.0) - Cross-site Scripting (Stored XSS) vulnerability that could lead to privilege escalation.
- CVE-2026-21309 (CVSS score 7.5) - Incorrect Authorization vulnerability that could lead to privilege escalation.
Important vulnerabilities
- CVE-2026-21285 (CVSS score 4.3) - Incorrect Authorization vulnerability that could lead to security feature bypass.
- CVE-2026-21286 (CVSS score 5.3) - Incorrect Authorization vulnerability that could lead to security feature bypass.
- CVE-2026-21291 (CVSS score 4.8) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-21292 (CVSS score 5.4) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-21293 (CVSS score 5.5) - Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read.
- CVE-2026-21294 (CVSS score 5.5) - Server-Side Request Forgery (SSRF) vulnerability that could lead to security feature bypass.
- CVE-2026-21359 (CVSS score 4.7) - Incorrect Authorization vulnerability that could lead to security feature bypass.
- CVE-2026-21360 (CVSS score 6.8) - Path Traversal vulnerability that could lead to security feature bypass.
- CVE-2026-21282 (CVSS score 5.3) - Improper Input Validation vulnerability that could lead to application denial-of-service.
- CVE-2026-21310 (CVSS score 5.3) - Improper Input Validation vulnerability that could lead to security feature bypass.
Moderate vulnerabilities
- CVE-2026-21295 (CVSS score 3.1) - Open Redirect vulnerability that could lead to security feature bypass.
- CVE-2026-21296 (CVSS score 3.5) - Incorrect Authorization vulnerability that could lead to security feature bypass.
- CVE-2026-21297 (CVSS score 3.5) - Incorrect Authorization vulnerability that could lead to security feature bypass.
Affected Versions:
- Adobe Commerce - 2.4.9-alpha3 and earlier, 2.4.8-p3 and earlier, 2.4.7-p8 and earlier, 2.4.6-p13 and earlier, 2.4.5-p15 and earlier, 2.4.4-p16 and earlier (All platforms)
- Adobe Commerce B2B - 1.5.3-alpha3 and earlier, 1.5.2-p3 and earlier, 1.4.2-p8 and earlier, 1.3.5-p13 and earlier, 1.3.4-p15 and earlier, 1.3.3-p16 and earlier (All platforms)
- Magento Open Source - 2.4.9-alpha3, 2.4.8-p3 and earlier, 2.4.7-p8 and earlier, 2.4.6-p13 and earlier, 2.4.5-p15 and earlier (All platforms)
Updated Versions:
- Adobe Commerce - 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 (All platforms)
- Adobe Commerce B2B - 1.5.3-beta1, 1.5.2-p4, 1.4.2-p9, 1.3.5-p14, 1.3.4-p16, 1.3.3-p17 (All platforms)
- Magento Open Source - 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16 (All platforms)
Critical vulnerabilities
- CVE-2026-21333 (CVSS score 8.6) - Untrusted Search Path vulnerability that could lead to arbitrary code execution.
- CVE-2026-21362 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2026-27271 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2026-27272 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2026-27267 (CVSS score 7.8) - Stack-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
Important vulnerabilities
- CVE-2026-27268 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
- CVE-2026-27270 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Illustrator 2025 - 29.8.4 and earlier versions (Windows)
- Illustrator 2026 - 30.1 and earlier versions (Windows)
Updated Versions:
- Illustrator 2025 - 29.8.5 (Windows and macOS)
- Illustrator 2026 - 30.2 (Windows and macOS)
Critical vulnerabilities
- CVE-2026-27220 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2026-27278 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
Important vulnerability
- CVE-2026-27221 (CVSS score 5.5) - Improper Verification of Cryptographic Signature vulnerability that could lead to privilege escalation.
Affected Versions:
- Acrobat DC - 25.001.21265 and earlier (Windows and macOS)
- Acrobat Reader DC - 25.001.21265 and earlier (Windows and macOS)
- Acrobat 2024 - Win 24.001.30307 and earlier, Mac 24.001.30308 and earlier (Windows and macOS)
Updated Versions:
- Acrobat DC - 25.001.21288 (Windows and macOS)
- Acrobat Reader DC - 25.001.21288 (Windows and macOS)
- Acrobat 2024 - 24.001.30356 (Windows and macOS)
Critical vulnerability
- CVE-2026-27269 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe Premiere Pro - 25.5 and earlier versions (Windows and macOS)
Updated Versions:
- Adobe Premiere Pro - 26.0 (Windows and macOS)
- Adobe Premiere Pro - 25.6 LTS (Windows and macOS)
Important vulnerabilities
- CVE-2026-27223 through CVE-2026-27266 - 33 Cross-site Scripting vulnerabilities (32 Stored XSS, 1 DOM-based XSS), all rated CVSS 5.4, that could lead to arbitrary code execution.
Affected Versions:
- Adobe Experience Manager - AEM Cloud Service (CS) (All platforms)
- Adobe Experience Manager - 6.5 LTS SP1 and earlier (All platforms)
- Adobe Experience Manager - 6.5.SP23 and earlier (All platforms)
Updated Versions:
- Adobe Experience Manager - AEM Cloud Service (CS) Release 2026.02 (All platforms)
- Adobe Experience Manager - 6.5 LTS Service Pack 2 (All platforms)
- Adobe Experience Manager - 6.5 Service Pack 24 (All platforms)
Critical vulnerabilities
- CVE-2026-27273 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2026-27274 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2026-27275 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2026-27276 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2026-27277 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2026-27279 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe Substance 3D Stager - 3.1.7 and earlier versions (Windows and macOS)
Updated Version:
- Adobe Substance 3D Stager - 3.1.8 (Windows and macOS)
Important vulnerabilities
- CVE-2026-21363 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
- CVE-2026-21364 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
- CVE-2026-21365 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
- CVE-2026-27214 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
- CVE-2026-27215 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
- CVE-2026-27216 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
- CVE-2026-27217 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
- CVE-2026-27218 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
- CVE-2026-27219 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
Affected Versions:
- Adobe Substance 3D Painter - 11.1.2 and earlier versions (All platforms)
Updated Version:
- Adobe Substance 3D Painter - 11.1.3 (All platforms)
Adobe DNG Software Development Kit (SDK)
Critical vulnerability
- CVE-2026-27280 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
Important vulnerability
- CVE-2026-27281 (CVSS score 5.5) - Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service.
Affected Versions:
- Adobe DNG SDK - 1.7.1 build 2471 and earlier versions (All platforms)
Updated Version:
- Adobe DNG SDK - 1.7.1 build 2502 (All platforms)
Adobe claims that they are not aware of any exploits in the wild for any of the issues addressed in these updates. Users are strongly encouraged to update their software to the latest versions.
