Skip to main content
CVE-2026-48258 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) enables an authenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment with attacker-controlled input. The CVSS Scope:Changed designation indicates the injected script can affect resources beyond the AEM application boundary - including session tokens and cross-origin interactions - elevating the practical impact beyond a simple content injection. No public exploit identified at time of analysis and no CISA KEV listing; Adobe has released advisory APSB26-56 addressing this issue.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-48256 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker with low privileges to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The CVSS vector confirms scope change (S:C), meaning the injected script can affect browser contexts beyond the vulnerable AEM page itself - enabling session hijacking, credential theft, or unauthorized actions performed as the victim. No public exploit code or active exploitation has been identified at time of analysis, and exploitation requires user interaction, limiting opportunistic mass exploitation.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-48251 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows an authenticated low-privileged attacker to inject and execute malicious JavaScript within a victim's browser by manipulating client-side DOM processing. The CVSS scope change (S:C) indicates the exploit can break out of the originating page's security context, enabling session hijacking or cross-origin actions against higher-privileged users. No public exploit identified at time of analysis, and this CVE is not currently listed in the CISA KEV catalog.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-48250 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to execute arbitrary JavaScript within a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) is a notable signal - injected script executes outside the attacker's own security context, enabling session hijacking or privilege escalation against higher-privileged users such as AEM administrators. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47993 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows an authenticated low-privilege attacker to inject and execute malicious JavaScript in a victim's browser by luring them to a crafted webpage. The CVSS Scope:Changed designation (S:C) confirms the injected script can affect browser contexts beyond the vulnerable page itself, elevating potential impact beyond the C:L/I:L ratings alone suggest. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47990 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to a page containing the poisoned field, the script executes in their browser context. The CVSS scope change (S:C) signals that exploitation crosses a security boundary - a content-authoring account can target higher-privileged administrative sessions - amplifying the effective impact beyond the medium CVSS score of 5.4. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47986 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) enables an authenticated attacker to inject malicious JavaScript into a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) confirms the injected script can affect browser context beyond the AEM application boundary - a hallmark of XSS elevation into session hijacking or admin pivot. Exploitation requires low-privilege authenticated access and user interaction; no public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47978 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to the affected page, the script executes in their browser under a changed scope (S:C), meaning the injected payload escapes the attacker's own session context and impacts other users - enabling session hijacking, credential harvesting, or unauthorized AEM actions on their behalf. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47974 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. Affected versions include AEM 6.5.24, LTS SP1, and 2026.04 and earlier. The scope-changed CVSS designation reflects the cross-context impact typical of stored XSS - compromising the victim's browser session rather than just the server-side application. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47972 MEDIUM This Month

Stored XSS in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform's content authoring interface. When a victim - typically an administrator or higher-privileged user - browses the page containing the injected field, the script executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; however, the changed scope (S:C) in the CVSS vector elevates the effective impact beyond the originating component, making this a meaningful risk in environments with untrusted low-privilege authors.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47956 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in any victim's browser upon page visit. Affected versions span the 6.5.x LTS line through 6.5.24 and LTS SP1, as well as cloud-service releases through 2026.04. The CVSS Scope:Changed designation confirms the payload can affect browser contexts beyond the attacker's own session - elevating concern for privilege escalation against higher-privileged users such as administrators. No public exploit identified at time of analysis and no CISA KEV listing observed.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47951 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users - including higher-privileged ones - who subsequently visit the affected page. Affected versions span 6.5.24, LTS SP1, and 2026.04 and earlier. The CVSS Scope:Changed designation indicates that successful exploitation can impact components beyond the attacker's privilege boundary, elevating the practical impact of an otherwise medium-severity finding. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47950 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 2026.04 and earlier allows an authenticated low-privileged attacker to permanently inject malicious JavaScript into vulnerable form fields within the CMS. When any user - including administrators - browses to the page containing the poisoned field, the script executes in their browser under AEM's origin, with scope change (S:C) enabling the attacker to affect browser context beyond AEM's own security boundary. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low access complexity and persistent nature of the payload make this a credible threat in multi-tenant or contributor-accessible AEM environments.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47949 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users who visit the affected page. Affected versions span the 6.5.x branch (through 6.5.24), the LTS SP1 track, and the cloud-native 2026.04 release and earlier. The scope-changed CVSS rating reflects that the injected payload crosses the security boundary from the attacker's session context to arbitrary victim sessions, enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47948 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields, executing in the browser of any user who subsequently views the affected page. The CVSS Scope Changed (S:C) designation confirms the injected script crosses trust boundaries, meaning payloads can target administrator sessions, exfiltrate tokens, or perform privileged actions beyond the AEM application context. Adobe has published advisory APSB26-56 addressing this issue; no public exploit has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47947 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows an authenticated low-privileged attacker to inject and execute arbitrary JavaScript within a victim's browser by manipulating the client-side DOM environment through a crafted webpage. Successful exploitation results in a scope change (S:C), meaning attacker-controlled script can reach resources beyond the vulnerable AEM component - such as session tokens or cross-origin content accessible to the victim. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though Adobe's own PSIRT reported it under advisory APSB26-56.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47946 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject and execute malicious JavaScript within a victim's browser by manipulating the Document Object Model. The CVSS Scope:Changed rating signals that successful exploitation breaks out of the vulnerable component's security boundary, enabling impact on resources beyond AEM itself - such as adjacent browser sessions or stored credentials. No public exploit identified at time of analysis, and CISA KEV listing is absent, but the low attack complexity and changed scope make this a meaningful risk for organizations running AEM with untrusted low-privilege users.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47945 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject malicious scripts into vulnerable form fields, which then execute in any victim's browser when they navigate to the affected page. The Changed scope (S:C) in the CVSS vector confirms that impact escapes the vulnerable component and reaches the victim's browser context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47944 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions up to 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform. When a higher-privileged user - such as an administrator or content editor - subsequently browses to a page containing the poisoned field, the injected script executes in their browser, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; Adobe has published advisory APSB26-56 to address this issue.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47943 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to the affected page, the script executes in their browser within a changed scope context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the Adobe APSB26-56 advisory provides remediation guidance.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47942 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) permits a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields, which then executes in any victim's browser upon visiting the affected page. The CVSS scope change (S:C) indicates the injected script can impact browser contexts beyond AEM itself - enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47941 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) allows a low-privileged authenticated attacker to permanently inject malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses to the page containing the tainted field, the script executes in their browser under a changed scope (S:C), meaning the impact extends beyond the originating application context. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, but the low attack complexity and broad version range make this a realistic internal threat in multi-tenant AEM environments.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47939 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields. When any user - including administrators - browses to the affected page, the injected script executes within their browser session. The CVSS Scope:Changed rating confirms the exploit crosses security boundaries: the attacker's injected payload affects victims beyond the attacker's own session, enabling session hijacking, credential theft, or privilege escalation in a CMS where administrators hold significant content control. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47936 MEDIUM This Month

Stored XSS in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields via the AEM authoring interface. When any victim browses a page containing the compromised field, the injected script executes within their browser - the CVSS Scope Changed (S:C) flag confirms the impact crosses trust boundaries beyond the AEM application itself, enabling session theft or unauthorized actions on behalf of higher-privileged users. No public exploit identified at time of analysis; Adobe has published advisory APSB26-56 addressing this issue.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47935 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged remote attacker to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The changed scope (S:C in CVSS) means successful exploitation can affect resources beyond the vulnerable component itself, enabling session hijacking or credential theft against AEM users. Exploitation requires user interaction - the victim must be social-engineered into visiting an attacker-controlled or injected URL - and no public exploit or CISA KEV listing exists at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34692 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject malicious JavaScript that executes entirely within the victim's browser by manipulating client-side DOM sinks. The CVSS scope change (S:C) signal indicates successful exploitation can affect browser components beyond the AEM instance itself - enabling session hijacking or unauthorized actions on behalf of the victim. Adobe PSIRT has issued Security Bulletin APSB26-56 covering this issue; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34033 MEDIUM This Month

HTML content injection in Apache Answer's email notification system allows authenticated users to embed arbitrary HTML markup into notification emails delivered to other platform users. All versions through 2.0.0 are affected. Because no CVSS vector was published at time of analysis, authentication requirements are confirmed from the description rather than from a CVSS PR component - an attacker must have a valid platform account to submit the content that triggers the malicious notification. No public exploit code and no CISA KEV listing have been identified.

XSS Apache
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36728 MEDIUM This Month

Markdown-based XSS in FastapiAdmin v2.2.0's AI assistant chat function allows unauthenticated remote attackers to inject crafted markdown payloads that execute arbitrary JavaScript in a victim's browser. The Changed scope (S:C) in the CVSS vector confirms the vulnerability crosses the application trust boundary into the browser security context. A public proof-of-concept exists via the researcher disclosure repository, and no vendor-released patch has been identified at time of analysis.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36722 MEDIUM This Month

Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.

RCE File Upload N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47989 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows an authenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context - separate from the vulnerable AEM application - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. Exploitation requires low privileges (authenticated attacker) and user interaction (victim must visit a crafted webpage); no public exploit identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47987 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables an authenticated remote attacker to inject and execute arbitrary JavaScript within a victim's browser session by manipulating the client-side DOM environment. The CVSS Scope:Changed rating confirms the vulnerability crosses the security boundary from the AEM application into the victim's browser context, enabling theft of session tokens, credential harvesting, or malicious redirects. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47985 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to deliver a crafted webpage that, when visited by a victim, executes arbitrary JavaScript within the victim's browser context. The CVSS scope change (S:C) indicates impact crosses the security boundary of the vulnerable AEM component into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis; SSVC assessment marks exploitation as none and the attack as not automatable.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47983 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager allows an authenticated, low-privileged attacker to execute arbitrary JavaScript in a victim's browser by enticing them to visit a crafted webpage. Affected versions span the 6.5.x line through 6.5.24, the LTS SP1 branch, and all cloud releases through 2026.04. The Scope:Changed CVSS attribute indicates the injected script can affect resources beyond the originating AEM context - elevating the practical impact above what the 5.4 Medium score alone suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47982 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows an authenticated low-privilege attacker to execute arbitrary JavaScript in a victim's browser by directing them to a crafted webpage. The scope-changed rating (S:C) indicates the injected script's impact escapes the vulnerable AEM component boundary, potentially compromising session data or other browser-accessible resources belonging to the victim. No public exploit code has been identified and no active exploitation is confirmed by CISA KEV at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47981 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to permanently inject malicious JavaScript into vulnerable form fields within the CMS. When any user - including administrators - browses the page hosting the tampered field, the injected script executes in their browser under the application's security context, with scope change (S:C) enabling impact beyond the originating component. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and broad AEM deployment surface make patching a priority for enterprise environments.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47980 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious scripts into vulnerable form fields within the CMS authoring interface. When a higher-privileged user such as an administrator subsequently browses to the page hosting the injected content, the JavaScript executes in their browser session under a changed security scope, enabling potential session hijacking or privilege escalation. No public exploit code or active exploitation confirmed by CISA KEV has been identified at time of analysis; Adobe has issued security advisory APSB26-56 addressing this issue.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47977 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses to the affected page, the injected script executes in their browser, potentially enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and scope-changed rating elevate real-world concern for multi-tenant AEM deployments.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47975 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields within the CMS. When any victim - potentially a higher-privileged editor or administrator - browses to the page containing the injected content, the script executes in their browser context, with scope change (S:C) indicating the impact crosses AEM's security boundary into the victim's browser. No public exploit identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47973 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 2026.04 and earlier enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user - including administrators - browses to a page containing the injected content, the script executes in their browser under a changed security scope (S:C), potentially compromising confidentiality and integrity of the victim's session. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, AEM's widespread enterprise deployment and the low barrier of entry (low-privilege account only) make this a meaningful risk in environments where untrusted or lightly vetted users have authoring or form-editing access.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47970 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables low-privileged authenticated attackers to inject persistent malicious JavaScript into vulnerable form fields, which then executes in the browsers of users who visit the affected pages. The CVSS Scope:Changed designation means injected scripts can breach the security context of the AEM application itself, potentially affecting other browser-accessible resources. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47966 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in other users' browsers upon page load. Affected versions span the 6.5.x branch through 6.5.24, the LTS SP1 track, and cloud-native releases through 2026.04. No public exploit code or active exploitation has been identified at time of analysis; however, the changed scope (S:C) elevates real-world impact by enabling session hijacking or credential theft against higher-privileged users such as authors or administrators.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47962 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses a page containing the poisoned field, the script executes in their browser - with scope change (S:C) meaning the injected payload can affect resources and sessions beyond the origin of the vulnerable component itself. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47958 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields. When a victim - such as an administrator - browses a page containing the injected payload, the script executes in their browser session, enabling session hijacking, credential theft, or privilege escalation within the AEM instance. The CVSS Scope:Changed designation elevates practical risk above the medium base score of 5.4, as impact extends beyond the attacker's own session to the victim's browser context. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47957 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any victim user subsequently browses to the page hosting the injected content, the script executes in their browser - outside AEM's security boundary (CVSS S:C, scope changed) - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47954 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persist malicious JavaScript payloads inside vulnerable form fields. When a higher-privileged user - such as an administrator or editor - later browses the affected page, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions on the victim's behalf. The CVSS Scope:Changed designation confirms the exploit transcends the attacker's own privilege boundary; no public exploit has been identified and CISA SSVC assessment rates exploitation as none at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47953 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript inside vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. The CVSS scope-change flag (S:C) reflects that the injected code breaks out of AEM's server-side security boundary and runs in the victim's browser context, enabling session hijacking or credential theft against higher-privileged users such as administrators. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and broad AEM enterprise deployment surface make this a credible lateral-escalation vector inside organizations.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41972 MEDIUM This Month

Path traversal in the HarmonyOS SMS application allows unauthenticated remote attackers to impact integrity and availability on affected Huawei devices. Exploitation requires user interaction - a victim must engage with a crafted message - but no privileges or special authentication are needed from the attacker's side, lowering the barrier to reach a target. No public exploit or CISA KEV listing exists at time of analysis; this appears to be a vendor-disclosed issue patched in the June 2026 Huawei security bulletin.

Path Traversal
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36726 MEDIUM This Month

{file} endpoint, which fails to restrict path traversal sequences in the file parameter. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no privileges, and no user interaction from a network position. No public exploit identified at time of analysis, and the EPSS score of 0.12% (30th percentile) reflects low observed exploitation probability, though the no-auth attack surface warrants attention for publicly exposed deployments.

Path Traversal N A
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-42914 MEDIUM PATCH Exploit Unlikely This Month

Windows Kerberos out-of-bounds read (CWE-125) allows a low-privilege network attacker to crash the Kerberos authentication service across all actively supported Windows client and server platforms, from Windows Server 2012 through Windows Server 2025 and Windows 11 26H1. The attack requires prior domain authentication and high-complexity triggering conditions (CVSS AC:H), limiting opportunistic mass exploitation, though a successful attack against a domain controller can deny authentication domain-wide by crashing the KDC. Vendor patches are available via the Microsoft MSRC advisory; no public exploit code exists and SSVC confirms no observed exploitation at time of analysis.

Denial Of Service Information Disclosure Microsoft Buffer Overflow Windows 10 1607 +12
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-49843 MEDIUM PATCH This Month

Session eviction via unauthenticated sessid collision in FreeSWITCH mod_verto (all versions prior to 1.11.1) allows a remote unauthenticated attacker who knows a target client's session UUID to forcibly disconnect that client - terminating active calls and closing their WebSocket connection - by racing a crafted JSON-RPC first-frame before the authentication gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms full network reachability with no credentials required; the sole prerequisite is knowledge of the victim's session UUID. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.

Authentication Bypass Freeswitch
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
Prev Page 13 of 16 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy