Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a DOM-based Cross‑Site Scripting flaw that allows an attacker to manipulate the Document Object Model and execute malicious JavaScript in the victim’s browser context. The vulnerability requires the victim to visit a specially crafted webpage; once loaded, the injected script runs with the same privileges as the user, potentially enabling session hijacking, data theft, or defacement.

Affected Systems

Vendors affected are Adobe, specifically Adobe Experience Manager. All instances of the product running the listed versions or earlier are vulnerable, including 6.5.24, LTS SP1, 2026.04, and all earlier releases.

Risk and Exploitability

The CVSS score of 5.4 reflects moderate severity, and the lack of an EPSS score suggests no known large‑scale exploitation yet. The flaw is not listed in CISA’s KEV catalog, further indicating limited public exploitation. The attack vector relies on user interaction; a user must click a crafted link or open a malicious page. As the vulnerability can alter the behaviour of the victim’s browser, it poses a risk to confidentiality and integrity of data within the session, and it could also allow resource consumption or denial of service if the malicious script is designed to hang the browser.

Generated by OpenCVE AI on June 9, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Experience Manager to a version that removes the DOM-based XSS flaw
  • Validate and encode any user‑controlled data that may be injected into the DOM before rendering to the page
  • Implement a Content Security Policy that blocks inline scripts and restricts script sources

Generated by OpenCVE AI on June 9, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T16:48:27.317Z

Reserved: 2026-05-20T15:50:31.367Z

Link: CVE-2026-47986

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:41.567

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:16Z

Weaknesses