Description
Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Published: 2026-06-09
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting vulnerability exists in Adobe Experience Manager Forms JEE, allowing an attacker to place malicious JavaScript in form fields. When a victim visits the page hosting the compromised field, the injected script runs in the victim's browser, potentially stealing credentials or hijacking a session. The flaw is classified as CWE‑79 and changes the security scope of the affected system.

Affected Systems

Adobe Experience Manager Forms JEE LTS SP1 and all releases up to and including 6.5.24.0 are affected. Users of these product versions must verify the installed version or apply the vendor update.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this flaw by submitting crafted form data that is stored and later rendered in a victim’s browser. This attack path is most likely remote, relying on web access to the form interface, and requires the ability to supply input that the application fails to sanitize. Because the vulnerability alters scope, successful exploitation could provide elevated privileges within the affected application.

Generated by OpenCVE AI on June 9, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager Forms JEE patch or upgrade beyond version 6.5.24.0.
  • Limit form submission to authenticated and trusted users or implement application‑level input sanitization to filter out script content.
  • Review all form fields for potential XSS vectors, enforce secure browser headers such as X‑XSS‑Protection and CSP, and monitor for abnormal activity.

Generated by OpenCVE AI on June 9, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Title Adobe Experience Manager Forms JEE | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T19:16:52.031Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34691

cve-icon Vulnrichment

Updated: 2026-06-09T19:16:48.302Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T18:16:38.387

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:30:13Z

Weaknesses