Critical

SSRF in Adobe Campaign Classic 7.4.3 build 9394 and earlier

IdentifiersCVE-2026-47938CWE-918· Server-Side Request Forgery (SSRF)

CVE-2026-47938 is a server-side request forgery (SSRF) vulnerability affecting Adobe Campaign Classic (ACC) 7.4.3 build 9394 and earlier. Adobe’s published CVE history indicates the issue is network exploitable, requires no privileges, and does not require user interaction. The vulnerable condition allows an attacker to cause the ACC server to issue unintended requests, consistent with CWE-918. Adobe initially described the impact as arbitrary code execution in the context of the current user, but later revised the CVE description to state that the issue could result in privilege escalation and noted that scope is changed. Based on the provided content, the precise vulnerable component or function is not identified.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can compromise the affected ACC instance with high confidentiality, integrity, and availability impact per the published CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Adobe’s current CVE description states the SSRF could result in privilege escalation. Supporting content also notes that Adobe initially described the impact as arbitrary code execution in the context of the current user before revising the description. At minimum, the issue enables unauthorized server-side network interaction; based on Adobe’s current description, it may be leveraged to elevate privileges within or through the affected application context.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting the ACC server’s ability to initiate outbound network connections to only required destinations, blocking access to internal-only services and cloud metadata endpoints, and segmenting the application from sensitive internal networks. Monitor for anomalous outbound requests originating from ACC and review application configurations or features that permit user-influenced remote resource fetching. These are general SSRF mitigations; the provided content does not include Adobe-specific workaround guidance.

Remediation

Patch, then assume compromise.

Upgrade Adobe Campaign Classic to a fixed release newer than version 7.4.3 build 9394, as referenced by Adobe advisory APSB26-66. Apply the vendor-provided security update addressing CVE-2026-47938 across all affected ACC deployments.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AdobeCampaign Classicapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Jun 9, 2026

CVE-2026-47938 - Adobe Campaign Classic (ACC) | Server-Side Request Forgery (SSRF) (CWE-918)

A specific SSRF vulnerability in Adobe Campaign Classic (ACC) 7.4.3 build 9394 and earlier. The record indicates impact language changed over time from arbitrary code execution in the context of the current user to privilege escalation, and exploitation does not require user interaction.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-47938

NVD

nvd.nist.gov/vuln/detail/CVE-2026-47938

MITRE CWE · CWE-918

Server-Side Request Forgery (SSRF)

helpx.adobe.com

helpx.adobe.com/security/products/campaign/apsb26-66.html