Adobe Experience Manager versions up to and including 6.5.24, LTS SP1, and the 2026.04 release contain a DOM‑based Cross‑Site Scripting flaw (CWE‑79). An attacker who can lure a victim to a specially crafted URL can insert malicious JavaScript that runs in the victim’s browser. Because the script executes under the user’s privileges, it may read sensitive data on the page or perform actions on the user’s behalf. The vulnerability requires user interaction and does not alter system state, but it enables session hijacking or data theft if the attacker can inject scripts that read cookies or local storage.

Adobe Experience Manager deployments running version 6.5.24, LTS SP1, 2026.04, or earlier are affected. Organizations using any of these releases should examine whether their instances are currently deployed and whether any custom code might be exposed via URLs that can be manipulated.

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. The flaw is a conventional DOM‑based XSS that requires a victim to click a malicious link; thus, it is an attack that relies on social engineering or phishing. An attacker could exploit it on any device a user accesses, including mobile browsers. Because the script runs in the victim’s context, it can exfiltrate data or inject further payloads. The lack of an exploit community score suggests no widespread automated payloads exist, but the vulnerability could still be leveraged manually by an attacker.