By vendor

Adobe vulnerabilities

Known CVEs affecting Adobe products, prioritized by severity, with SEC.co remediation and detection guidance.

119 published vulnerabilities · page 2 of 2

  • CVE-2026-48251MEDIUM 5.4

    Adobe Experience Manager (AEM) contains a vulnerability that allows attackers to inject malicious scripts into the DOM, which execute in users' browsers. This DOM-based cross-site scripting (XSS) flaw affects multiple versions of AEM up to and including 6.5.24, LTS SP1, and 2026.04. Exploitation requires an attacker to trick a user into visiting a specially crafted webpage, making it dependent on user interaction. Once the malicious page loads, the attacker's JavaScript runs within the victim's browser session, potentially allowing theft of session tokens, credential capture, or unauthorized actions on behalf of the user.

  • CVE-2026-48256MEDIUM 5.4

    Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a DOM-based cross-site scripting (XSS) flaw. An attacker can craft a malicious webpage that, when visited by an authenticated AEM user, executes JavaScript in the victim's browser with their privileges. The attack requires user interaction—specifically, a victim must click a link or visit the attacker's page—but once triggered, the malicious script runs within the AEM session context, potentially allowing unauthorized actions or data theft.

  • CVE-2026-48258MEDIUM 5.4

    Adobe Experience Manager contains a DOM-based cross-site scripting (XSS) vulnerability that allows an attacker to inject and execute malicious JavaScript code in a victim's browser. The vulnerability affects multiple versions of AEM (6.5.24, LTS SP1, 2026.04 and earlier) and requires an authenticated user with low privileges to click a specially crafted link or visit a malicious webpage. While the impact is limited to theft of session data or minor modification of page content visible to the victim, the cross-scope nature of the vulnerability means the malicious script can access resources and functionality beyond the immediate affected component.

  • CVE-2026-48264MEDIUM 5.4

    Adobe Experience Manager (AEM) contains a DOM-based cross-site scripting vulnerability that allows an authenticated attacker to inject malicious JavaScript into a victim's browser session. The vulnerability affects multiple AEM versions up to and including 6.5.24, LTS SP1, and 2026.04. Successful exploitation requires the victim to visit an attacker-crafted webpage while logged into AEM, making social engineering a prerequisite for impact. The vulnerability carries a CVSS score of 5.4 (Medium), reflecting limited scope but meaningful exposure to confidentiality and integrity.

  • CVE-2026-48265MEDIUM 5.4

    Adobe Experience Manager (AEM) contains a DOM-based Cross-Site Scripting vulnerability that allows authenticated attackers to inject malicious JavaScript into a victim's browser session. The flaw requires an attacker to trick a user into visiting a specially crafted webpage while logged into AEM, potentially compromising sensitive data or session integrity. Versions 6.5.24, LTS SP1, 2026.04 and earlier are affected.

  • CVE-2026-48266MEDIUM 5.4

    Adobe Experience Manager contains a DOM-based cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into web pages. An attacker would need to trick a user into visiting a specially crafted webpage, where the victim's browser would then execute the attacker's code in the context of their AEM session. This could allow the attacker to steal session tokens, modify page content, or perform actions on behalf of the victim. The vulnerability affects multiple versions of AEM, with scope changes that increase the potential impact surface.

  • CVE-2026-48268MEDIUM 5.4

    Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a DOM-based cross-site scripting (XSS) vulnerability that allows an attacker to inject and execute malicious JavaScript in a victim's browser. The attack requires the victim to visit a specially crafted webpage while authenticated to an affected AEM instance. An attacker exploiting this could steal session tokens, perform unauthorized actions, or deface content—all within the victim's authenticated session context.

  • CVE-2026-48271MEDIUM 5.4

    Adobe Experience Manager (AEM) contains a DOM-based cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious JavaScript into web pages. The vulnerability requires an attacker to trick a user into visiting a specially crafted webpage while logged into AEM. Once triggered, the malicious script executes in the victim's browser with their permissions, potentially allowing session hijacking, credential theft, or unauthorized actions on behalf of the victim. The vulnerability affects AEM versions 6.5.24, LTS SP1, 2026.04 and earlier.

  • CVE-2026-48280MEDIUM 5.4

    Adobe Experience Manager contains a cross-site scripting (XSS) flaw that allows an attacker to inject malicious JavaScript into a user's browser session. The vulnerability is triggered when a victim visits a specially crafted webpage while authenticated to the affected AEM instance. Once executed, the injected code runs with the victim's privileges, potentially allowing theft of session data, unauthorized actions on their behalf, or malware distribution. The issue affects multiple AEM versions including 6.5.24, LTS SP1, and 2026.04 and earlier.

  • CVE-2026-48297MEDIUM 5.4

    Adobe Experience Manager (AEM) contains a stored cross-site scripting vulnerability that allows low-privileged users to embed malicious scripts into form fields. When legitimate users view pages containing these compromised fields, the injected JavaScript executes in their browsers, potentially compromising their sessions or enabling further attacks. The vulnerability affects AEM versions 6.5.24, LTS SP1, 2026.04 and earlier.

  • CVE-2026-48299MEDIUM 5.4

    Adobe Experience Manager contains a stored cross-site scripting (XSS) vulnerability in form field handling. A low-privileged user can inject malicious JavaScript that persists in the system. When other users view the affected form, the injected script executes in their browsers, potentially stealing session data, credentials, or performing actions on their behalf. The vulnerability requires user interaction (viewing the malicious form) to trigger but can affect users across the platform due to its changed scope classification.

  • CVE-2026-48300MEDIUM 5.4

    Adobe Experience Manager contains a stored cross-site scripting (XSS) vulnerability in form field handling that allows low-privileged users to inject malicious JavaScript. When a victim visits a page containing an affected form field, the attacker's script executes in their browser, potentially compromising their session or stealing sensitive data. The vulnerability affects multiple versions including 6.5.24, LTS SP1, and 2026.04 and earlier.

  • CVE-2026-48301MEDIUM 5.4

    Adobe Experience Manager contains a stored cross-site scripting (XSS) flaw that allows a low-privileged user to plant malicious code in form fields. When other users visit pages containing these compromised fields, the injected scripts execute in their browsers, potentially stealing session data, credentials, or performing actions on their behalf. The vulnerability affects multiple versions through 2026.04 and requires user interaction—a victim must view the poisoned form—but the attacker needs only basic authentication access to inject the payload.

  • CVE-2026-48304MEDIUM 5.4

    Adobe Experience Manager contains a stored cross-site scripting (XSS) vulnerability that allows low-privileged users to inject malicious JavaScript into form fields. When other users—typically administrators or content editors—view pages containing these compromised fields, the attacker's script executes in their browser. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects multiple versions through 2026.04 and requires user interaction (the victim must view the poisoned form) but can compromise users with higher privileges than the attacker.

  • CVE-2026-34694MEDIUM 4.8

    Adobe Experience Manager Forms JEE contains a stored cross-site scripting (XSS) vulnerability in form fields that allows a high-privileged attacker to inject malicious JavaScript code. When other users visit a page containing the compromised form field, the malicious script executes in their browser, potentially compromising their session, credentials, or sensitive data. The vulnerability affects versions LTS SP1, 6.5.24.0 and earlier.

  • CVE-2026-47933MEDIUM 4.8

    Adobe ColdFusion versions 2023.19, 2025.8 and earlier contain a stored cross-site scripting (XSS) vulnerability that allows low-privileged attackers to inject malicious JavaScript into form fields. When other users view pages containing these compromised fields, the attacker's script executes in their browsers. This is a persistence mechanism rather than a one-time attack—the malicious code remains embedded in the application until remediated.

  • CVE-2026-47991MEDIUM 4.3

    Adobe Experience Manager contains a flaw that allows attackers to craft deceptive URLs that redirect users to attacker-controlled websites. If a victim clicks such a link, they may be taken to a fake login page or other malicious site where their credentials could be stolen, leading to account compromise. This vulnerability affects multiple AEM versions and requires user interaction—the attacker must convince someone to click the malicious link.

  • CVE-2026-48288LOW 3.5

    Adobe Experience Manager contains a flaw in how it validates user input that can allow a logged-in attacker to bypass certain security controls and gain unauthorized write permissions. The attacker must trick a victim into visiting a malicious link or interacting with a compromised page, making this a lower-risk issue in practice. Affected versions include 6.5.24, LTS SP1, 2026.04 and earlier.

  • CVE-2026-48289LOW 3.5

    Adobe Experience Manager contains a vulnerability in how it validates user input that could allow a low-privileged attacker to bypass security controls and gain unauthorized write access to content. The attack requires the victim to visit a malicious link or interact with a compromised webpage, making it a practical but not trivial threat in environments where AEM is exposed to users. This is not currently listed as exploited in the wild.