Skip to main content

Adobe Experience Manager As A Cloud Service

13 CVEs product

Monthly

CVE-2026-48310 HIGH This Week

Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenticated attackers traverse outside the intended directory scope to retrieve sensitive files, per Adobe advisory APSB26-74. The CVSS 3.1 score of 8.6 is elevated by a changed scope (S:C), meaning the read reaches resources beyond the vulnerable component's security authority. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Path Traversal Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
8.6
EPSS
0.6%
CVE-2026-48259 CRITICAL Act Now

Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation.

SSRF RCE Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts +1
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-48359 CRITICAL Act Now

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.

RCE XXE Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts +1
NVD
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-48263 MEDIUM This Month

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48260 MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48355 MEDIUM This Month

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48261 MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48253 MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48262 MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48252 HIGH This Week

Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthenticated attacker reach a critical function directly, bypassing a security control to gain unauthorized write access. The CVSS 8.6 rating and scope-change flag indicate impact can extend beyond the initially vulnerable component, though only integrity is affected (no confidentiality or availability loss). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2026-48255 MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48257 MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48254 MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts Adobe Experience Manager 6 5
NVD
CVSS 3.1
5.4
EPSS
0.3%
EPSS 1% CVSS 8.6
HIGH This Week

Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenticated attackers traverse outside the intended directory scope to retrieve sensitive files, per Adobe advisory APSB26-74. The CVSS 3.1 score of 8.6 is elevated by a changed scope (S:C), meaning the read reaches resources beyond the vulnerable component's security authority. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Path Traversal Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation.

SSRF RCE Adobe +3
NVD
EPSS 1% CVSS 9.6
CRITICAL Act Now

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.

RCE XXE Adobe +3
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Missing authentication in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) lets a remote unauthenticated attacker reach a critical function directly, bypassing a security control to gain unauthorized write access. The CVSS 8.6 rating and scope-change flag indicate impact can extend beyond the initially vulnerable component, though only integrity is affected (no confidentiality or availability loss). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

XSS Adobe Adobe Experience Manager As A Cloud Service +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy