Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager is vulnerable to a stored cross‑site scripting flaw that lets a low‑privileged attacker inject malicious scripts into form fields. The malicious JavaScript executes in a victim’s browser when the affected page is viewed, potentially enabling session theft, data exfiltration, or other client‑side attacks. The vulnerability’s scope is changed, meaning it could affect a wider range of users than originally anticipated.

Affected Systems

The affected product is Adobe Experience Manager. Versions 6.5.24, the LTS SP1 release, and the 2026.04 build, along with any earlier releases of the same major version, are impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. With no EPSS data available and no listing in the CISA KEV catalog, the likelihood of exploitation remains uncertain, but the fact that a low‑privileged attacker can abuse the flaw raises concerns. The changed scope increases the potential impact across the system. Attackers could exploit the stored XSS by submitting crafted input through a form and later obtain the malicious payload when any user accesses the page.

Generated by OpenCVE AI on June 9, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe’s official security update for Adobe Experience Manager to fix the stored XSS vulnerability.
  • If an update is not yet possible, disable the affected form fields or restrict access to the components that accept user input until the patch is applied.
  • Implement defensive browser controls such as Content Security Policy headers and ensure that all user‑supplied data is properly encoded or escaped on output to mitigate the impact of any remaining XSS risk.

Generated by OpenCVE AI on June 9, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe experience Manager
Vendors & Products Adobe
Adobe experience Manager

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:32:12.888Z

Reserved: 2026-05-21T15:28:38.135Z

Link: CVE-2026-48300

cve-icon Vulnrichment

Updated: 2026-06-09T18:32:09.512Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:44.260

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-48300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:00:10Z

Weaknesses