Skip to main content

Experience Manager Forms

8 CVEs product

Monthly

CVE-2025-54254 HIGH POC This Month

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Adobe Experience Manager Forms
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2025-54253 CRITICAL POC KEV THREAT Emergency

Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0).

Authentication Bypass RCE Adobe Experience Manager Forms
NVD
CVSS 3.1
10.0
EPSS
12.8%
CVE-2020-9733 HIGH PATCH This Week

An AEM java servlet in AEM versions 6.5.5.0 (and below) and 6.4.8.1 (and below) executes with the permissions of a high privileged service user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Java Information Disclosure Experience Manager Experience Manager Forms
NVD
CVSS 3.1
7.5
EPSS
3.8%
CVE-2020-9732 CRITICAL PATCH Act Now

The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Experience Manager Experience Manager Forms
NVD
CVSS 3.1
9.0
EPSS
2.8%
CVE-2019-8089 MEDIUM PATCH This Month

Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Information Disclosure Adobe Experience Manager Forms
NVD
CVSS 3.1
6.1
EPSS
1.5%
CVE-2019-7129 MEDIUM This Month

Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Information Disclosure Adobe Experience Manager Forms
NVD
CVSS 3.0
6.1
EPSS
1.6%
CVE-2017-3067 HIGH This Week

Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an information disclosure vulnerability resulting from abuse of the pre-population service in AEM Forms. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Information Disclosure Experience Manager Forms
NVD
CVSS 3.0
7.5
EPSS
4.5%
CVE-2016-6934 MEDIUM PATCH This Month

Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the PMAdmin module that could be used in cross-site scripting attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Adobe Experience Manager Forms Livecycle
NVD
CVSS 3.0
6.1
EPSS
0.9%
EPSS 0% CVSS 8.6
HIGH POC This Month

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Adobe Experience Manager Forms
NVD
EPSS 13% CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0).

Authentication Bypass RCE Adobe +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

An AEM java servlet in AEM versions 6.5.5.0 (and below) and 6.4.8.1 (and below) executes with the permissions of a high privileged service user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Java Information Disclosure Experience Manager +1
NVD
EPSS 3% CVSS 9.0
CRITICAL PATCH Act Now

The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Experience Manager Experience Manager Forms
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Information Disclosure Adobe +1
NVD
EPSS 2% CVSS 6.1
MEDIUM This Month

Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Information Disclosure Adobe +1
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an information disclosure vulnerability resulting from abuse of the pre-population service in AEM Forms. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Information Disclosure Experience Manager Forms
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the PMAdmin module that could be used in cross-site scripting attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Adobe Experience Manager Forms +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy