Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager is vulnerable to a DOM‑based Cross‑Site Scripting flaw that allows an attacker to manipulate the Document Object Model and execute malicious JavaScript in the victim’s browser. The attack requires a user to visit a specially crafted page and can lead to execution of arbitrary code within the victim’s session, potentially compromising credentials or data that the user has access to. The vulnerability’s scope has been changed, indicating that the effect could extend beyond the initial user context.

Affected Systems

Adobe Experience Manager 6.5.24, LTS SP1, 2026.04 and all earlier releases are affected. Users of these versions should verify their build and immediately consult Adobe’s advisory linked in the references.

Risk and Exploitability

The CVSS score of 5.4 denotes a medium risk level, and the exploit probability is not reported. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Because the flaw requires user interaction to reach a crafted URL, the likelihood of accidental exploitation is moderate, but an attacker with social engineering or phishing capabilities could readily trigger it. Mitigation should focus on applying the vendor patch and reducing browser exposure to untrusted content.

Generated by OpenCVE AI on June 9, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe Experience Manager patch that removes the vulnerable DOM handling code
  • Implement a strict Content Security Policy that disallows inline scripts and restricts script sources
  • Validate and encode any user‑supplied data that is reflected in URLs or on the page to prevent malicious script injection

Generated by OpenCVE AI on June 9, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:38:15.739Z

Reserved: 2026-05-21T15:28:38.131Z

Link: CVE-2026-48258

cve-icon Vulnrichment

Updated: 2026-06-09T18:38:10.473Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:42.673

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-48258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses