Skip to main content

Adobe Experience Manager CVE-2026-47953

| EUVDEUVD-2026-35720 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 psirt@adobe.com GHSA-63pf-j459-66x7
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 19:26 vuln.today

DescriptionCVE.org

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

AnalysisAI

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript inside vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. The CVSS scope-change flag (S:C) reflects that the injected code breaks out of AEM's server-side security boundary and runs in the victim's browser context, enabling session hijacking or credential theft against higher-privileged users such as administrators. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and broad AEM enterprise deployment surface make this a credible lateral-escalation vector inside organizations.

Technical ContextAI

Adobe Experience Manager is a widely deployed enterprise content management and digital experience platform. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS), meaning user-controlled input submitted to a form field is persisted in the AEM content repository without adequate output encoding, and is later rendered verbatim in HTML pages served to other users. The CVSS scope-change designation (S:C) is canonical for stored XSS: the vulnerable component is the AEM server, but the security impact - arbitrary JavaScript execution - occurs in a different security principal's browser context. The CVSS vector AV:N/AC:L/PR:L/UI:R encodes that the attack is network-reachable, requires no special configuration to trigger, needs only a low-privilege AEM account to plant the payload, but does require a second-party victim to browse to the poisoned page. The affected CPE range per EUVD-2026-35720 spans all AEM releases up to and including 2026.04, covering both the legacy 6.5.x LTS line and the AEM as a Cloud Service release train.

RemediationAI

Apply the fix detailed in Adobe Security Bulletin APSB26-56 at https://helpx.adobe.com/security/products/experience-manager/apsb26-56.html. The exact patched release version is not independently confirmed from the available input data - consult APSB26-56 directly for the specific build or cumulative fix pack to install. As a compensating control while patching is scheduled, restrict write access to AEM form authoring components to the minimum set of trusted users, removing low-privileged or external-contributor roles from any content-authoring permissions where possible; this directly removes the attacker's ability to plant the payload (PR:L requirement). Deploying a strict Content Security Policy (CSP) header that disallows inline script execution on AEM-served pages will reduce the impact of any injected payload, though this may break legitimate AEM in-page JavaScript and should be tested in a staging environment first. Input validation or WAF rules that strip or encode script tags in form submission payloads provide an additional layer but are not a substitute for the vendor patch.

More in Adobe

View all
CVE-2015-5119 CRITICAL POC
9.8 Jul 08

Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr

CVE-2016-4117 CRITICAL POC
9.8 May 11

Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a

CVE-2015-3113 CRITICAL POC
9.8 Jun 23

Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J

CVE-2011-2462 CRITICAL POC
9.8 Dec 07

Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote

CVE-2011-0611 HIGH POC
8.8 Apr 13

Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar

CVE-2009-0927 HIGH POC
8.8 Mar 19

Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj

CVE-2014-0497 CRITICAL POC
9.8 Feb 05

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Ma

CVE-2009-4324 HIGH POC
7.8 Dec 15

Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac

CVE-2015-0313 CRITICAL POC
9.8 Feb 02

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows

CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2015-0311 CRITICAL POC
9.8 Jan 23

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Window

CVE-2013-0632 CRITICAL POC
9.8 Jan 17

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and pos

Share

CVE-2026-47953 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy