Description
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.
Published: 2026-04-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (DOM‑based)
Action: Apply patch
AI Analysis

Impact

Adobe Experience Manager is affected by a DOM‑based XSS vulnerability that allows an attacker to inject malicious JavaScript by manipulating the DOM environment. The flaw requires that the victim visit a crafted webpage, after which the browser executes the injected script using the victim’s privileges. This can lead to theft of session cookies, defacement, or execution of arbitrary actions within the user’s session.

Affected Systems

Adobe Experience Manager versions 6.5.24, FP11.7 and all earlier releases are vulnerable. The issue has been identified in the AEM product family and affects all deployments that have not applied the latest security patch.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires user interaction, meaning an attacker must entice the victim to open a specially crafted page, which limits the attack surface. Given the moderate score and interaction requirement, the overall risk is moderate but should be mitigated promptly, especially in environments with public exposure.

Generated by OpenCVE AI on April 14, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager patch or upgrade to a supported version.
  • If immediate patching is not possible, restrict access to the affected components and monitor for suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
Adobe experience Manager Screens
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager_screens:*:*:*:*:-:*:*:*
Vendors & Products Adobe experience Manager
Adobe experience Manager Screens

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions FP11.7 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)

Tue, 14 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions FP11.7 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager Experience Manager Screens
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:27:37.186Z

Reserved: 2026-02-18T22:02:41.395Z

Link: CVE-2026-27288

cve-icon Vulnrichment

Updated: 2026-04-14T19:22:59.492Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:56.450

Modified: 2026-04-15T19:46:11.643

Link: CVE-2026-27288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses