Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a DOM-based XSS flaw that allows an attacker to manipulate the DOM environment and execute malicious JavaScript within the context of a victim’s browser. By crafting a URL or web page that the victim visits, an attacker can inject arbitrary code that runs with the credentials of the user who loads the page. The vulnerability changes scope, which may expose additional privileges or data to the attacker after exploitation.

The affected products are Adobe Experience Manager, specifically versions 6.5.24, LTS SP1, 2026.04 and all earlier releases. Users running these versions should verify their local installation against the provided Adobe security advisory.

The CVSS score of 5.4 places this vulnerability in the moderate severity range. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate likelihood of exploitation but lacking current attraction. The attack requires user interaction: a victim must click or otherwise visit a crafted webpage that triggers the DOM manipulation. The scope change suggests that the damage could potentially be escalated beyond the original user context if the victim is authenticated within the application. Given the available data, the risk is moderate but the impact could be significant if exploited by a determined attacker.