Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager is vulnerable to a stored Cross‑Site Scripting flaw (CWE‑79) that enables a low‑privileged attacker to embed malicious JavaScript into form fields. When a victim views a page containing the compromised field, the injected script runs in the victim’s browser, potentially compromising the user’s session, data, or executing other malicious actions.

Affected Systems

Affected editions include Adobe Experience Manager versions 6.5.24, the LTS SP1 release, and the 2026.04 release, as well as any earlier builds of those series.

Risk and Exploitability

The CVSS base score is 5.4, indicating moderate severity, and the EPSS score is not yet available. The vulnerability is not currently listed in the CISA KEV catalog. Attackers are expected to exploit the flaw by supplying malicious input to a vulnerable form field that is later stored and displayed within the site, allowing the embedded script to run in the browsers of any user who visits the affected page. The scope change indicates the flaw can affect a wider segment of the application, increasing potential exposure.

Generated by OpenCVE AI on June 9, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for Adobe Experience Manager 6.5.24, LTS SP1, or 2026.04 that resolves the stored XSS issue, as detailed in the Adobe advisory.
  • If the update cannot be applied immediately, restrict write permissions to the vulnerable form controls or disable the affected fields to prevent injection.
  • Use a web application firewall or enforce a strict Content Security Policy to block inline script execution and filter malicious payloads.

Generated by OpenCVE AI on June 9, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T19:37:48.502Z

Reserved: 2026-05-20T15:50:31.362Z

Link: CVE-2026-47945

cve-icon Vulnrichment

Updated: 2026-06-09T19:37:42.100Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:38.180

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:15:16Z

Weaknesses