Adobe has released fixes for security problems in several popular products, including Illustrator, Premiere Pro, After Effects, Adobe Connect, and Adobe Commerce. If left unpatched, these issues could let someone take control of a computer or account, install unwanted software, or access and change files.
The May 12, 2026 monthly security release addresses 52 vulnerabilities across 10 product families, according to Adobe PSIRT bulletins. Adobe states it is not aware of active exploitation for these specific CVEs, but the update arrives as organizations are still responding to Adobe’s April 2026 third-party BPO breach — a separate incident we covered in our April 2026 cyber incidents roundup.
Read Adobe’s security bulletin index:
https://helpx.adobe.com/security.html
What Adobe Patched
Adobe Connect (APSB26-50) — highest severity
Two critical flaws in the Adobe Connect Desktop Application affect versions through 2025.9.15 (Windows) and 2025.8.157 (macOS):
- CVE-2026-34659 (CVSS 9.6) — deserialization of untrusted data leading to arbitrary code execution
- CVE-2026-34660 (CVSS 9.3) — incorrect authorization leading to privilege escalation
Adobe rates this update Priority 3 and recommends upgrading to Desktop Application 2026.3.125 (Windows) / 2026.01.39 (macOS).
Adobe Commerce & Magento Open Source (APSB26-49) — largest patch volume
Adobe Commerce received 15 fixes (10 high-severity, 5 medium-severity) covering arbitrary code execution, security feature bypass, denial-of-service, cross-site scripting, and path traversal. Adobe assigned Priority 2 — higher than most Creative Cloud updates — because Commerce has been targeted in past campaigns.
Affected release lines include 2.4.8-p4 and earlier, 2.4.7-p9 and earlier, and 2.4.6-p14 and earlier. Adobe published patch releases including 2.4.8-p5, 2.4.7-p10, and 2.4.6-p15 on May 12, 2026.
Creative Cloud desktop applications
| Product | Bulletin | Notable impact |
|---|---|---|
| Premiere Pro | APSB26-46 | Remote code execution in versions through 25.6.4 and 26.0.2 |
| After Effects | APSB26-48 | Remote code execution in versions through 25.6.4 and 26.0 |
| Illustrator | APSB26-51 | Two critical code-execution flaws (CVE-2026-34661, CVE-2026-34687) in 2025 29.8.6 and 2026 30.3 and earlier |
| Media Encoder | APSB26-47 | Remote code execution in current release lines |
Adobe also patched Substance 3D Designer, Sampler, and Painter and the Content Authenticity SDK in the same monthly batch.
Connection to Adobe’s April 2026 Breach
These product patches are not a direct response to the April breach, but they compound risk for organizations already on alert.
In April 2026 reporting, Adobe confirmed a breach through a third-party BPO contractor involving phishing and privilege escalation. Alleged exposure included support tickets, employee data, and bug bounty submissions — the same class of identity and workflow data attackers reuse in follow-on campaigns.
The May PSIRT release and the April contractor incident illustrate two parallel Adobe risk surfaces:
- Endpoint and server software — unpatched Connect, Commerce, or Creative Cloud installs
- Identity and vendor access — contractors, help desks, and SSO portals without strong MFA and monitoring
Organizations that use Adobe for creative production, webinars (Connect), or e-commerce (Commerce) should treat patching and vendor access reviews as one combined program — not separate IT and security workstreams.
Who Should Act First
- E-commerce and retail running Adobe Commerce or Magento Open Source — apply Commerce patches immediately; restrict admin interfaces from the public internet until verified
- Marketing and creative teams on Premiere Pro, After Effects, or Illustrator — update via the Creative Cloud desktop app; do not open untrusted project or asset files on outdated builds
- Legal, HR, and training departments using Adobe Connect for webinars or depositions — prioritize Connect Desktop Application updates on all presenter and attendee machines
- Managed service providers and BPO vendors with Adobe admin access — enforce MFA, least-privilege roles, and session logging (lessons from the April contractor breach)
Priority Actions
- Inventory Adobe products across workstations, VDI pools, and Commerce/Connect servers.
- Patch Commerce and Connect first — highest CVSS scores and Priority 2 rating on Commerce.
- Push Creative Cloud updates through your MDM or RMM tool; verify build numbers match PSIRT solution tables.
- Restrict Commerce admin panels — allowlist admin IPs, enforce MFA, and review extension/third-party module code.
- Review BPO and contractor Adobe access — align with vendor risk assessments after the April incident.
- Monitor for phishing referencing Adobe invoices, Connect meeting invites, or Commerce order alerts.
Post-Incident Security Posture Assessment
We ran independent EmailMeNow Cybersecurity Audits against Adobe’s primary public domains on June 22, 2026:
| Organization (Domain) | Overall | Risk Level |
|---|---|---|
| Adobe (adobe.com) | 74% | Good |
| Adobe Business (business.adobe.com) | 35% | Critical Risk |
| Adobe Commerce (commerce.adobe.com) | 35% | Critical Risk |
These scores reflect email authentication and transport security on public-facing domains — not whether individual CVEs are patched on your workstations. They do show a split posture: the main adobe.com marketing domain scores well, while commerce.adobe.com and business.adobe.com sit in the Critical Risk band, which can make phishing and domain impersonation easier against merchants and enterprise customers.
Audit links:
Why Texas Businesses Should Care
Texas organizations across hospitality, retail, legal marketing, and creative services routinely depend on Adobe tools. Unpatched desktop software can become the entry point for ransomware; unpatched Commerce instances can expose customer PII and payment workflows — incident patterns we track in Texas OAG breach reports and hospitality & retail breach summaries.
Patching alone does not satisfy Texas SB 2610 documentation expectations, but a written patch-management and vendor-access program is part of a defensible cybersecurity posture when client or customer data is at stake.
Related trackers
- April 2026 cyber incidents (Adobe BPO breach)
- Texas OAG YTD dashboard
- Hospitality & retail tracker
- Law firm breach tracker
- Monitoring guide
- Ransomware landscape (Jun 2026)
- CA June roundup
- TX June roundup
- All trackers
Protect your organization.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com to review DMARC, SPF, DKIM, and transport security — and contact EmailMeNow IT Consulting for patch-management policy, vendor risk review, and SB 2610 documentation support.
Sources: Adobe Security Bulletins · APSB26-50 — Adobe Connect · APSB26-49 — Adobe Commerce · APSB26-51 — Illustrator · EmailMeNow audits — adobe.com · commerce.adobe.com