Skip to main content

Adobe Experience Manager EUVDEUVD-2026-35642

| CVE-2026-47980 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 psirt@adobe.com GHSA-p454-mq32-f8wx
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 19:19 vuln.today

DescriptionCVE.org

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

AnalysisAI

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious scripts into vulnerable form fields within the CMS authoring interface. When a higher-privileged user such as an administrator subsequently browses to the page hosting the injected content, the JavaScript executes in their browser session under a changed security scope, enabling potential session hijacking or privilege escalation. No public exploit code or active exploitation confirmed by CISA KEV has been identified at time of analysis; Adobe has issued security advisory APSB26-56 addressing this issue.

Technical ContextAI

Adobe Experience Manager is a Java-based enterprise CMS platform used for web content authoring and digital asset management. The vulnerability is CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS), meaning user-supplied input in one or more form fields is persisted to the content repository and later rendered without adequate output encoding in downstream page views. The CVSS scope-change indicator (S:C) is the technically significant signal here: the injected script executes within the security context of whoever views the page, not the attacker's session, allowing the attacker to cross trust boundaries. EUVD-2026-35642 corroborates the affected range as AEM versions up to and including 2026.04. Specific vulnerable components or field types are not identified in the available data; the Adobe advisory APSB26-56 should be consulted for component-level detail.

RemediationAI

Apply the update specified in Adobe security advisory APSB26-56 at https://helpx.adobe.com/security/products/experience-manager/apsb26-56.html - the exact fixed release version was not independently confirmed from the available input data and must be verified directly from that advisory. As a compensating control pending patching, restrict AEM authoring and content-submission permissions to a minimum set of trusted, identifiable user accounts, since exploitation requires a valid low-privileged account with write access to vulnerable form fields; removing or tightly scoping the Contributor or Author role for untrusted users directly eliminates the attack surface. Deploying a Web Application Firewall with XSS signature rules on AEM authoring endpoints can provide partial defense-in-depth, though WAF bypass is feasible for determined attackers and should not be treated as a primary mitigation. Content Security Policy (CSP) headers configured on AEM publish and author instances can limit the impact of script injection even if a payload is stored, by restricting script execution to trusted origins.

More in Adobe

View all
CVE-2015-5119 CRITICAL POC
9.8 Jul 08

Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr

CVE-2016-4117 CRITICAL POC
9.8 May 11

Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a

CVE-2015-3113 CRITICAL POC
9.8 Jun 23

Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J

CVE-2011-2462 CRITICAL POC
9.8 Dec 07

Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote

CVE-2011-0611 HIGH POC
8.8 Apr 13

Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar

CVE-2009-0927 HIGH POC
8.8 Mar 19

Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj

CVE-2014-0497 CRITICAL POC
9.8 Feb 05

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Ma

CVE-2009-4324 HIGH POC
7.8 Dec 15

Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac

CVE-2015-0313 CRITICAL POC
9.8 Feb 02

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows

CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2015-0311 CRITICAL POC
9.8 Jan 23

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Window

CVE-2013-0632 CRITICAL POC
9.8 Jan 17

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and pos

Share

EUVD-2026-35642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy