Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a stored cross‑site scripting vulnerability that allows a low‑privileged attacker to inject malicious JavaScript into vulnerable form fields. When a victim visits the page containing the injected field, the script runs in the victim’s browser, enabling potential data theft, session hijacking or defacement. The flaw is marked as changing scope, meaning the attacker may affect higher privileges than initially intended.

Affected Systems

Adobe Experience Manager versions 6.5.24 and earlier, including the LTS SP1 and 2026.04 releases.

Risk and Exploitability

With a CVSS score of 5.4 the vulnerability is rated moderate in severity. EPSS data is not available, so the precise exploitation probability cannot be quantified, but the requirement for a low‑privilege attacker to provide input and the need for the victim to view the page indicate that exploitation hinges on user interaction. The flaw is not currently listed in the CISA KEV catalog. Attackers typically achieve the exploit by submitting malicious form input that is stored and later rendered without proper sanitization.

Generated by OpenCVE AI on June 9, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager security update that removes the stored XSS flaw, updating beyond 6.5.24, LTS SP1, and 2026.04 releases.
  • Ensure all form input is properly sanitized or escaped before storage or rendering; review custom components for unsafe output handling.
  • Deploy a Content Security Policy that restricts inline script execution and disallows unsafe-eval, limiting the impact if XSS persists.

Generated by OpenCVE AI on June 9, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:38:39.068Z

Reserved: 2026-05-20T15:50:31.365Z

Link: CVE-2026-47974

cve-icon Vulnrichment

Updated: 2026-06-09T18:35:59.695Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:40.340

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:16Z

Weaknesses