Description
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a stored Cross‑Site Scripting flaw that can be leveraged by a low‑privileged user to inject malicious JavaScript into form fields; when a victim visits the page containing the field the script executes in the victim’s browser. The vulnerability permits modification of the page’s content. The weakness is a classic input validation error (CWE‑79).

Affected Systems

The affected systems are Adobe Experience Manager deployments running versions 6.5.24, LTS SP1, 2026.04 or earlier, provided by Adobe Corporation.

Risk and Exploitability

The CVSS score of 5.4 classifies this issue as medium severity, and the EPSS score is not available. It is not listed in the CISA KEV catalog. The likely attack vector arises when an attacker submits data to a vulnerable form field, and the stored input is later rendered to users. Because the flaw can be abused by a low‑privileged attacker, the risk is contingent on the attacker's ability to reach the form and the extent to which the content is displayed to other users. The scope is changed, meaning the vulnerability can affect the entire application context once injected data is rendered.

Generated by OpenCVE AI on June 9, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe Experience Manager security update released in the advisory at https://helpx.adobe.com/security/products/experience-manager/apsb26-56.html
  • Enforce strict input validation or sanitization on all form fields to ensure that script tags and event handlers are removed or escaped before storage
  • Deploy a Content Security Policy that disallows inline scripts and restricts execution to trusted sources to reduce the impact of any residual XSS

Generated by OpenCVE AI on June 9, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:27:55.976Z

Reserved: 2026-05-21T15:28:38.136Z

Link: CVE-2026-48304

cve-icon Vulnrichment

Updated: 2026-06-09T18:27:45.487Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:44.507

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-48304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:00:10Z

Weaknesses