Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a DOM‑based cross‑site scripting flaw found in Adobe Experience Manager. An attacker can manipulate the DOM environment to inject malicious JavaScript that executes within the context of a victim’s browser when the user visits a specially crafted page. The flaw requires user interaction, so exploitation depends on social engineering tactics such as phishing.

Affected Systems

The flaw impacts Adobe Experience Manager releases 6.5.24, LTS SP1, 2026.04 and earlier. Any system running these versions is vulnerable until an update that removes the flaw is applied.

Risk and Exploitability

With a CVSS score of 5.4 the vulnerability is of moderate severity. The EPSS score is not provided and it is not listed in CISA’s KEV catalog, indicating that known attacks have not yet been reported. Nevertheless, because the exploit requires a crafted webpage that the user must open, the attack vector is external and can be achieved over HTTP or HTTPS. The changed scope means that the flaw can affect areas beyond the originating user session, potentially compromising the application’s content or configuration.

Generated by OpenCVE AI on June 9, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe Experience Manager update that removes the DOM‑based XSS flaw as per the official advisory.
  • Sanitize all rendered user input by encoding output and applying strict input validation to prevent client‑side scripts from being injected.
  • Deploy a Content Security Policy that disallows unsafe inline scripts and whitelists approved script sources.

Generated by OpenCVE AI on June 9, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:38:26.281Z

Reserved: 2026-05-20T15:50:31.367Z

Link: CVE-2026-47989

cve-icon Vulnrichment

Updated: 2026-06-09T18:36:04.966Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:41.830

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:15:16Z

Weaknesses