Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Missing authentication makes it network-reachable and unauthenticated (AV:N/PR:N/AC:L/UI:N); impact is unauthorized write (I:H) with no confidentiality or availability loss, and the cross-boundary function yields S:C.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed.
AnalysisAI
Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthenticated attacker reach a critical function directly, bypassing a security control to gain unauthorized write access. The CVSS 8.6 rating and scope-change flag indicate impact can extend beyond the initially vulnerable component, though only integrity is affected (no confidentiality or availability loss). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the AEM endpoint that exposes the affected critical function; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) it is remote, low-complexity, unauthenticated, and needs no user interaction, so against an exposed default-affected AEM instance no special conditions apply. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately concerning but not maximal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-reachable AEM author or publish instance and sends a crafted HTTP request directly to the unauthenticated critical-function endpoint, without needing credentials or any user interaction. Because authentication is missing, the request executes a state-changing operation, giving the attacker unauthorized write access to content or configuration that crosses into another component's authorization scope. … |
| Remediation | Apply the fix per Adobe advisory APSB26-74 (https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html); the provided data does not contain an exact patched build number, so treat this as 'Patch available per vendor advisory' and pull the precise version and service-pack/hotfix identifiers from that advisory for AEM 6.5 and 6.5 LTS. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, restrict network access to all vulnerable AEM instances to administrative users only and enable comprehensive audit logging for write operations to detect unauthorized changes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6
Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged
Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenti
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44379
GHSA-jjf4-ppfx-v66m