CVE-2026-48290

Summary

CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Affected Software

VendorProductVersion RangeStatus
AdobeContent Credentials Rust SDK0 <= c2pa-v0.84.0affected
AdobeContent Credentials Rust SDKc2pa-v0.85.2unaffected
AdobeContent Credentials Command-Line Tool0 <= c2patool-v0.16.5affected
AdobeContent Credentials Command-Line Toolc2patool-v0.26.65unaffected
AdobeContent Credentials JS SDK0 <= @contentauth/c2pa-web@0.7.0affected
AdobeContent Credentials JS SDK@contentauth/c2pa-web@0.9.0unaffected

Weaknesses

  • CWE-918: Server-Side Request Forgery (SSRF) (CWE-918)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References