Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability. A low‑privileged attacker may inject malicious JavaScript into vulnerable form fields. When a victim browses a page containing the injected content, the script runs in the victim's browser, enabling credential theft, session hijacking, or the delivery of further malware. The vulnerability changes the scope but does not allow direct server‑side code execution.

Affected Systems

Adobe Experience Manager, specifically versions 6.5.24, LTS SP1, 2026.04 and all earlier releases. Users of these editions running the affected versions are at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely through a web interface that accepts user‑generated content in form fields; a low‑privileged user with write access to such fields can complete the exploit. Successful exploitation requires the victim to load the page, so social engineering or phishing may increase attack success. Overall risk is moderate, with potential impact on confidentiality and integrity of user data.

Generated by OpenCVE AI on June 9, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch for Adobe Experience Manager, moving to version 6.5.25 or later as recommended by Adobe’s security advisory.
  • If the patch cannot be applied immediately, restrict write access to the vulnerable form fields or disable content submissions from untrusted sources.
  • Implement additional input validation or a Content Security Policy that blocks inline script execution on pages that contain the affected form fields.

Generated by OpenCVE AI on June 9, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:38:33.545Z

Reserved: 2026-05-20T15:50:31.363Z

Link: CVE-2026-47951

cve-icon Vulnrichment

Updated: 2026-06-09T18:36:02.775Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:38.997

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:45:12Z

Weaknesses