Description
Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Published: 2026-06-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting vulnerability exists in Adobe Experience Manager Forms JEE, allowing an attacker to place malicious JavaScript in form fields. When a victim visits the page hosting the compromised field, the injected script runs in the victim's browser, potentially stealing credentials or hijacking a session. The flaw is classified as CWE‑79 and changes the security scope of the affected system.

Affected Systems

Adobe Experience Manager Forms JEE LTS SP1 and all releases up to and including 6.5.24.0 are affected. Users of these product versions must verify the installed version or apply the vendor update.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this flaw by submitting crafted form data that is stored and later rendered in a victim’s browser. This attack path is most likely remote, relying on web access to the form interface, and requires the ability to supply input that the application fails to sanitize. Because the vulnerability alters scope, successful exploitation could provide elevated privileges within the affected application.

Generated by OpenCVE AI on June 9, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager Forms JEE patch or upgrade beyond version 6.5.24.0.
  • Limit form submission to authenticated and trusted users or implement application‑level input sanitization to filter out script content.
  • Review all form fields for potential XSS vectors, enforce secure browser headers such as X‑XSS‑Protection and CSP, and monitor for abnormal activity.

Generated by OpenCVE AI on June 9, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe experience Manager
Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Title Adobe Experience Manager Forms JEE | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T19:16:52.031Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34691

cve-icon Vulnrichment

Updated: 2026-06-09T19:16:48.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T18:16:38.387

Modified: 2026-06-11T17:29:49.867

Link: CVE-2026-34691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')