What is the CVSS score of CVE-2026-34693?

CVE-2026-34693 has a CVSS 3.1 base score of 4.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Adobe Experience Manager Forms are affected by CVE-2026-34693?

Adobe Experience Manager Forms JEE installations running LTS SP1 or 6.5.24.0 and earlier are vulnerable to unauthenticated reflected cross-site scripting attacks that allow remote attackers to hijack…

How to fix or mitigate CVE-2026-34693?

Within 24 hours: Inventory all Adobe Experience Manager Forms JEE deployments running LTS SP1, 6.5.24.0 or earlier; brief security and development teams on vulnerability scope and risks. Within 7 days: Deploy Web Application Firewall rules to block reflected XSS payloads against AEM Forms endpoints; implement restrictive Content Security Policy headers (default-src 'self'; script-src 'self'); restrict network access to AEM Forms instances to authorized users and systems only. Within 30 days: Deploy monitoring dashboards to detect XSS attack patterns; establish vendor advisory monitoring process; document and test remediation plan for immediate execution when Adobe releases patch.

Adobe Experience Manager Forms CVE-2026-34693

EUVD-2026-35765 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-06-09 adobe

GHSA-92h9-9fj6-4hp7

XSS Adobe

4.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.7 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Severity Changed

Jun 11, 2026 - 17:37 NVD

HIGH MEDIUM

CVSS changed

Jun 11, 2026 - 17:37 NVD

8.0 (HIGH) 4.7 (MEDIUM)

Analysis Generated

Jun 09, 2026 - 18:51 vuln.today

CVE Published

Jun 09, 2026 - 17:13 nvd

HIGH 8.0

DescriptionNVD

Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Articles & Coverage 1

News 19 New Adobe Vulnerabilities - 3 Critical, 16 High Severity Jun 10, 2026

AnalysisAI

Reflected Cross-Site Scripting in Adobe Experience Manager Forms JEE (LTS SP1 and 6.5.24.0 and earlier) allows remote unauthenticated attackers to execute arbitrary script in a victim's browser session, potentially hijacking accounts or escalating privileges within the AEM Forms environment. The Scope:Changed flag in the CVSS vector indicates the impact extends beyond the vulnerable component, which combined with High confidentiality and integrity impacts yields a CVSS of 8.0. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed AEM Forms JEE instance

Delivery

Craft reflective XSS URL with JS payload

Exploit

Phish AEM administrator with crafted link

Install

Victim clicks while authenticated

Script executes in changed scope

Execute

Steal session or invoke privileged API

Impact

Exfiltrate form data or pivot

Recon

Identify exposed AEM Forms JEE instance

Delivery

Craft reflective XSS URL with JS payload

Exploit

Phish AEM administrator with crafted link

Install

Victim clicks while authenticated

Script executes in changed scope

Execute

Steal session or invoke privileged API

Impact

Exfiltrate form data or pivot

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) the targeted organization to be running Adobe Experience Manager Forms JEE LTS SP1 or 6.5.24.0 or earlier with the vulnerable reflective endpoint reachable by the victim's browser, (2) user interaction - specifically, an authenticated AEM Forms user (ideally an administrator, to realize the Scope:Changed privilege crossover) must visit the attacker-crafted URL or a page that triggers the reflective request, and (3) per Adobe's own description, additional conditions beyond the attacker's control must align, consistent with the CVSS High attack complexity rating (AC:H) - likely involving specific browser, session, or input-parsing states. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N reveals a more nuanced picture than the raw 8.0 score suggests: exploitation requires both High attack complexity (Adobe notes 'Exploit depends on conditions beyond the attacker's control') and User Interaction (the victim must click a crafted link or visit a poisoned page), which materially limits drive-by mass-exploitation potential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a URL targeting a vulnerable reflective endpoint on the victim organization's AEM Forms JEE server with a JavaScript payload in a request parameter, then delivers it via phishing email or a watering-hole site frequented by AEM administrators. When a logged-in AEM Forms administrator clicks the link, their browser executes the attacker's script under the AEM origin and, because the scope is Changed, in a higher-privilege context - allowing the attacker to exfiltrate the admin session token, submit form-management API calls on the admin's behalf, or pivot to stored content. …
Remediation	Patch available per vendor advisory APSB26-57 (https://helpx.adobe.com/security/products/aem-forms/apsb26-57.html); apply the fixed AEM Forms JEE Service Pack referenced in that bulletin as the primary remediation - exact post-LTS-SP1 / post-6.5.24.0 fix build should be taken from the Adobe advisory itself. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Adobe Experience Manager Forms JEE deployments running LTS SP1, 6.5.24.0 or earlier; brief security and development teams on vulnerability scope and risks. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48303 CRITICAL Act Now

10.0 Jun 09

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated networ

CVE-2026-47938 CRITICAL Act Now

10.0 Jun 09

Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary

CVE-2026-53787 CRITICAL Act Now

9.3 Jun 12

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop a

CVE-2026-47937 HIGH This Week

8.2 Jun 09

Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs via an uncontrol

CVE-2026-47912 HIGH This Week

7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651, and earlier versions occurs through a use-a

CVE-2026-34693 vulnerability details – vuln.today

Back