Description
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.
Published: 2026-04-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: DOM‑based Cross‑Site Scripting enabling malicious JavaScript execution in the victim's browser
Action: Patch Upgrade
AI Analysis

Impact

An attacker can manipulate the Document Object Model of a victim’s browser by visiting a specially crafted webpage, causing the browser to execute arbitrary JavaScript within the context of that site. The vulnerability does not affect server‑side code, and no remote code execution is possible on the Adobe Experience Manager instance.

Affected Systems

Adobe Experience Manager versions 6.5.24, FP11.7 and any earlier releases are affected. Confirm whether your deployment uses these versions or earlier and plan to upgrade to a fixed release according to the Adobe advisory linked above.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. Because exploitation requires the user to visit a malicious page, the likelihood of successful attacks is limited to environments where users have access to potentially compromised web content. EPSS data is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Administrators should treat the risk as moderate and prioritize applying the vendor’s patch.

Generated by OpenCVE AI on April 14, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Adobe Experience Manager version newer than 6.5.24 or FP11.7 in accordance with the Adobe advisory.
  • Ensure that any remaining affected interfaces are not exposed to untrusted user input until the upgrade is complete.

Generated by OpenCVE AI on April 14, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
Adobe experience Manager Screens
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager_screens:*:*:*:*:-:*:*:*
Vendors & Products Adobe experience Manager
Adobe experience Manager Screens

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 15 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.
Title Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager Experience Manager Screens
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:38:42.488Z

Reserved: 2026-03-30T17:30:36.490Z

Link: CVE-2026-34625

cve-icon Vulnrichment

Updated: 2026-04-14T19:38:38.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T19:16:38.293

Modified: 2026-04-15T19:42:18.200

Link: CVE-2026-34625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses