Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Redirect (Open Redirect) vulnerability that could lead to account takeover. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.
Published: 2026-06-09
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager is vulnerable to an improper redirect that allows an attacker to craft a malicious URL which will redirect a user’s browser to a site controlled by the attacker. If a victim follows the link, they could be directed to a phishing page that may steal credentials, leading to an account takeover. The weakness is a classic Open Redirect (CWE‑601).

Affected Systems

The vulnerability affects Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and all earlier releases. Users running any of these versions are at risk until the software is upgraded.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity and the missing EPSS score shows no publicly known exploitation data. The vulnerability is not listed in CISA KEV, suggesting it has not yet been actively exploited. The attack requires user interaction—an individual must click a malicious link. Consequently, the risk is primarily to users who encounter such links, especially those with administrative or privileged accounts.

Generated by OpenCVE AI on June 9, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review Adobe’s advisory for the latest update and apply the recommended patch immediately
  • Upgrade Adobe Experience Manager to a fixed version, preferably 6.5.25 or newer
  • After patching, enforce a whitelist of allowed redirect destinations or disable automatic redirects to mitigate similar future issues

Generated by OpenCVE AI on June 9, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Redirect (Open Redirect) vulnerability that could lead to account takeover. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.
Title Adobe Experience Manager | URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T17:36:03.155Z

Reserved: 2026-05-20T15:50:31.367Z

Link: CVE-2026-47991

cve-icon Vulnrichment

Updated: 2026-06-09T17:35:56.165Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:42.070

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-47991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:15:15Z

Weaknesses