Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager allows a low‑privileged attacker to store malicious JavaScript in form fields. When a user views a page containing the vulnerable field, the script may be executed in their browser. The CVE description does not assert additional consequences such as cookie theft or defacement; those are not supported by the provided text.

Affected Systems

Adobe Experience Manager 6.5.24, the LTS SP1 build, and the 2026.04 release, as well as any earlier releases of the same product line are affected.

Risk and Exploitability

An attacker with low privileges who can submit input to a vulnerable form field can inject script. Because the CVE states the scope is changed, the injected code can affect the victim’s entire session. No higher privileges are required beyond the ability to post to the form, making exploitation feasible for users with minimal standing. The CVSS score of 5.4 indicates moderate severity; no EPSS score is available and the vulnerability is not listed in CISA KEV.

Generated by OpenCVE AI on June 9, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager update that mitigates the XSS flaw as described in the Adobe security advisory.
  • If an upgrade is not immediately possible, remove or disable the vulnerable form fields and enforce strict server‑side input validation or sanitization to prevent script injection.
  • Deploy a Content Security Policy that restricts where scripts can be loaded from, and monitor web logs for attempts to inject or execute malicious scripts.

Generated by OpenCVE AI on June 9, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe experience Manager
Vendors & Products Adobe
Adobe experience Manager

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T17:52:34.957Z

Reserved: 2026-05-20T15:50:31.362Z

Link: CVE-2026-47942

cve-icon Vulnrichment

Updated: 2026-06-09T17:52:21.549Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:37.767

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:16Z

Weaknesses