Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A DOM‑based cross‑site scripting vulnerability in Adobe Experience Manager allows an attacker who lures a user to a crafted web page to inject and execute malicious JavaScript in the victim’s browser. The flaw stems from inadequate sanitization of client‑side input and is classified as CWE‑79. Because the vulnerability’s scope is altered, it can affect parts of the application beyond the initially targeted component, increasing the potential impact on the target system.

Affected Systems

Adobe Experience Manager, versions 6.5.24, LTS SP1, 2026.04 and any earlier releases.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. No EPSS score is published, so the observed exploitation probability is unknown. Adobe does not list it in the CISA KEV catalog. Exploitation requires user interaction—specifically, a victim must open a maliciously crafted page—so it is mitigated by user awareness and defensive controls. The changed scope raises the risk of broader impact if the attacker successfully manipulates the DOM.

Generated by OpenCVE AI on June 9, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe Experience Manager to a patched release that resolves the DOM‑based XSS flaw.
  • Enable a Content Security Policy that restricts inline script execution and disallows unsafe eval usage.
  • Implement input validation and sanitation on all client‑side code that processes user‑supplied data.

Generated by OpenCVE AI on June 9, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 10 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:18:30.565Z

Reserved: 2026-05-20T15:50:31.367Z

Link: CVE-2026-47987

cve-icon Vulnrichment

Updated: 2026-06-09T20:18:25.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:41.700

Modified: 2026-06-10T13:08:28.370

Link: CVE-2026-47987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses