Description
Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-06-09
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw that allows an attacker to inject malicious scripts into a web page. This flaw can lead to elevated access or control over a victim’s account or session, and the stated scope change indicates that the impact may extend beyond the originally affected context. The weakness is classified as CWE‑79.

Affected Systems

Adobe Experience Manager Forms JEE, specifically LTS SP1 and any release 6.5.24.0 or earlier, is vulnerable to the reflected XSS described above.

Risk and Exploitability

The CVSS score of 8 marks the vulnerability as high severity, and it is not listed in the CISA KEV catalog. The EPSS score is not available, but the stated requirement for user interaction – a victim must visit a maliciously crafted URL or otherwise engage with a compromised page – means that the likelihood of widespread exploitation remains moderate. The vulnerability’s scope change suggests that exploitation could potentially lead to broader compromise within the application once an attacker gains initial access.

Generated by OpenCVE AI on June 9, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe Experience Manager Forms JEE security patch that fixes CVE‑2026‑34693, ensuring the update is to a release newer than 6.5.24.0.
  • Configure the application to validate and encode all user‑supplied input, particularly within URL parameters, to prevent script injection.
  • Implement a Content Security Policy that restricts the execution of inline scripts and disallows loading of script resources from untrusted origins.

Generated by OpenCVE AI on June 9, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Title Adobe Experience Manager Forms JEE | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:37:47.704Z

Reserved: 2026-03-30T17:30:36.497Z

Link: CVE-2026-34693

cve-icon Vulnrichment

Updated: 2026-06-09T18:36:51.691Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T18:16:39.750

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:00:14Z

Weaknesses