Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are vulnerable to a DOM‑based Cross‑Site Scripting (XSS) flaw (CWE‑79). The flaw allows an attacker to manipulate the Document Object Model in a victim’s browser and execute arbitrary JavaScript. Because the attacker needs only a crafted web page to be visited, the attack requires user interaction and cannot be triggered remotely from the server. Successful exploitation could let the attacker run malware, harvest credentials, or deface the site within the victim’s session context.

Affected Systems

Adobe Experience Manager administrative consoles and content authoring sites running on the affected releases are impacted. This includes the 6.5.24 LTS SP1 release, the 2026.04 patch set, and any earlier builds of that line. Systems that have remained on or before these versions, without applying the vendor’s published fix, must evaluate their exposure.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.4, indicating moderate severity. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog. Although the flaw is not immediately exploitable from the server side, the requirement for user interaction means that phishing or social engineering could be employed to trick users into visiting malicious URLs. The scope change indicates that exploitation could potentially affect all components loaded in the user’s browser session.

Generated by OpenCVE AI on June 9, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade or patch Adobe Experience Manager to a version that contains the vendor’s XSS fix (refer to the Adobe security bulletin for the specific build).
  • Enforce strict output encoding on all user‑generated content and implement server‑side input validation to prevent malicious DOM manipulation.
  • Deploy a Content Security Policy that restricts inline scripts and disallows unsafe eval, thereby reducing the impact of any remaining XSS vectors.

Generated by OpenCVE AI on June 9, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:34:44.645Z

Reserved: 2026-05-20T15:50:31.366Z

Link: CVE-2026-47983

cve-icon Vulnrichment

Updated: 2026-06-09T18:34:40.937Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:41.213

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses