Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM-based cross‑site scripting flaw that allows an attacker to inject and execute arbitrary JavaScript within the victim’s browser context. An attacker can manipulate the DOM environment by directing a user to a crafted webpage, forcing the victim’s browser to run malicious code. The flaw changes the scope of the affected system, indicating that the vulnerability could impact broader components than originally intended.

Affected Systems

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected. Any deployment of these revisions of Adobe’s digital asset and content management platform is at risk unless it has been updated beyond these releases.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, but the vulnerability is not listed in CISA’s KEV catalog, suggesting it may not yet be widely exploited. Exploitation requires the victim to visit a maliciously crafted page, limiting the attack vector to a delivery via social engineering or compromised inbound traffic. Because the flaw changes scope, an attacker who succeeds could potentially gain a broader impact than isolated script execution.

Generated by OpenCVE AI on June 9, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe’s security patch or upgrade to a version released after 6.5.24, LTS SP1, 2026.04 that resolves the DOM-based XSS issue.
  • Configure a strict content‑security‑policy on the application that disallows inline scripts and unsafeEval directives to prevent the execution of injected JavaScript.
  • Review the codebase for any places where user-supplied data is reflected into the DOM and implement proper input validation or sanitization to eliminate the vectors that enable this vulnerability.

Generated by OpenCVE AI on June 9, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:04:57.052Z

Reserved: 2026-03-30T17:30:36.497Z

Link: CVE-2026-34692

cve-icon Vulnrichment

Updated: 2026-06-09T18:04:12.956Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:05.297

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T19:45:12Z

Weaknesses