EUVD-2026-35763
GHSA-hpmf-43r3-vfhj
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Articles & Coverage 2
AnalysisAI
Stored cross-site scripting in Adobe Experience Manager Forms JEE LTS SP1 and 6.5.24.0 and earlier allows remote unauthenticated attackers to inject malicious JavaScript into vulnerable form fields that executes in victims' browsers when they visit the affected page. The scope-changed CVSS 9.3 reflects that the injected script can pivot beyond the vulnerable component to compromise the victim's authenticated session or account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to submit data into a vulnerable form field of an AEM Forms JEE deployment running LTS SP1 or 6.5.24.0 or earlier - per CVSS PR:N this submission step itself requires no authentication. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and warrant careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a crafted form on a public-facing AEM Forms JEE page, embedding a JavaScript payload in a field whose contents are later rendered to back-office reviewers or administrators. When a privileged user opens the form in their browser, the stored payload executes in their session context and exfiltrates session cookies or invokes administrative API calls on their behalf, pivoting the compromise from the form component into the broader AEM environment (scope change). … |
| Remediation | Patch available per vendor advisory APSB26-57 at https://helpx.adobe.com/security/products/aem-forms/apsb26-57.html - upgrade AEM Forms JEE to the fixed version listed in that bulletin (exact fixed version is not enumerated in the input data and should be taken from the Adobe advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Adobe Experience Manager Forms JEE deployments and identify instances running version 6.5.24.0 or earlier; assess external user exposure to web forms. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated networ
Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary
Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop a
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs via an uncontrol
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651, and earlier versions occurs through a use-a
Share
External POC / Exploit Code
Leaving vuln.today