MEDIUM 5.4

CVE-2026-47935: Adobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)

Adobe Experience Manager contains a DOM-based cross-site scripting (XSS) flaw that allows an attacker to inject malicious JavaScript code into a victim's browser session. The vulnerability affects multiple versions up to 6.5.24, LTS SP1, and 2026.04. An attacker must trick a user into visiting a specially crafted webpage to trigger the exploit, but once executed, the malicious script runs with the victim's privileges and can access or modify sensitive data within the AEM application context across different origin boundaries.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a DOM-based XSS vulnerability (CWE-79) in Adobe Experience Manager that arises from improper handling of untrusted input in the Document Object Model. Unlike stored or reflected XSS, the vulnerability manifests when client-side JavaScript processes attacker-controlled data without adequate sanitization or encoding. The attack vector is network-based with low complexity; it requires user interaction (visiting a malicious link) and valid AEM credentials (PR:L in the CVSS vector). The scope change indicates the attack can affect resources beyond the vulnerable component's original security boundary. The vulnerability scored CVSS 5.4 (Medium severity) with limited confidentiality and integrity impact but no availability impact.

Business impact

Organizations running vulnerable AEM versions face session hijacking and credential theft risks if users are socially engineered into visiting attacker-controlled pages. Since AEM commonly manages digital content, marketing collateral, and customer-facing websites, a successful XSS attack could deface content, harvest visitor data, or redirect users to malicious sites. The requirement for user interaction limits the attack surface to phishing campaigns or malicious advertisements, but the broad adoption of AEM in enterprise environments makes this a meaningful concern. The scope change means an attacker's payload could potentially exfiltrate data or perform actions across different security domains within the AEM installation.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1 (all variants through the specified patch levels), and 2026.04 and earlier versions are vulnerable. Organizations should inventory all AEM deployments, including on-premises and cloud-hosted instances, to determine exposure. Patches or security updates from Adobe are required to remediate; verify the exact affected version lineage and available patched versions against Adobe's official security advisory.

Exploitability

Exploitability is moderate. The attack requires a valid AEM user to be present and actively using the application, then become the target of a social engineering campaign (phishing, watering hole, malicious ad). There is no evidence of public exploit code or active exploitation in the wild at this time—the vulnerability is not tracked in the Known Exploited Vulnerabilities (KEV) catalog. However, DOM-based XSS techniques are well-understood, and a determined attacker with basic web security knowledge could craft an effective payload. The low complexity and network accessibility make this a realistic threat if users are not security-aware.

Remediation

Apply the latest security patches from Adobe for your specific AEM version line (6.5.x, LTS, or 2026.x). Verify patch availability and deployment instructions in Adobe's official security advisory. Beyond patching, implement input validation and output encoding best practices in any custom AEM components or extensions. Consider Content Security Policy (CSP) headers to restrict inline script execution. Conduct user awareness training to reduce phishing and social engineering susceptibility, since user interaction is required for exploitation.

Patch guidance

Contact Adobe support or check the official Adobe Security Advisories page for the specific patch version applicable to your AEM deployment. Do not rely on version numbers inferred from this advisory; verify all patch details directly against Adobe's published guidance. Test patches in a staging environment before production rollout. If you are running 6.5.24, LTS SP1, or 2026.04, you are confirmed vulnerable and should prioritize patching.

Detection guidance

Monitor web application firewall (WAF) logs and AEM access logs for suspicious DOM manipulation patterns, unusual JavaScript execution, or requests containing encoded script payloads. Look for HTTP requests with parameters that include HTML entities or JavaScript syntax targeting known AEM DOM endpoints. Implement endpoint detection and response (EDR) to flag processes spawning unexpected child processes or making unusual outbound connections following user interaction with AEM. Consider deploying browser-based isolation or sandboxing for high-risk users to contain XSS payload execution.

Why prioritize this

Although scored CVSS 5.4 (Medium), this vulnerability warrants prompt attention because AEM is widely deployed in enterprises, the attack vector is network-accessible and easy to exploit, and the scope change increases impact surface. The lack of KEV designation and active exploits provides a window to patch before widespread weaponization. Organizations managing customer-facing digital properties should prioritize this above lower-risk issues affecting internal-only systems.

Risk score, explained

The CVSS 5.4 score reflects network accessibility (AV:N) and low attack complexity (AC:L), offset by the requirement for user interaction (UI:R) and valid login credentials (PR:L). Confidentiality and integrity are slightly impacted (C:L, I:L), but availability is not affected (A:N). The scope change (S:C) increases the score by allowing cross-boundary attacks, elevating the severity from Low to Medium. In context, this is a realistic but not critical threat requiring timely but not emergency-level response.

Frequently asked questions

Do we need to be logged in to AEM for this attack to work?

Yes, the CVSS vector indicates PR:L (low privilege required), meaning an attacker must either be a valid AEM user or trick an existing user into clicking a malicious link. Unauthenticated visitors cannot directly trigger the vulnerability, but a low-privilege attacker (e.g., content contributor) could potentially escalate their access or impact other users.

Is this vulnerability being actively exploited?

As of the published date, this vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog, and there is no evidence of active, widespread exploitation. However, the simplicity of DOM-based XSS attacks means exploitation code could be rapidly developed if the vulnerability becomes public without patches deployed.

What should our first step be?

First, identify all AEM instances in your environment and their current version numbers. Cross-reference against the affected versions (6.5.24, LTS SP1, 2026.04 and earlier). Simultaneously, check Adobe's official security advisory for available patches and recommended remediation steps. Prioritize production systems managing sensitive or customer-facing content.

Can a WAF alone prevent this attack?

A well-tuned WAF can block some XSS payloads, but DOM-based XSS often bypasses traditional WAF detection because the malicious code is generated client-side. WAF rules should be part of a layered defense that includes patching, Content Security Policy headers, user training, and browser isolation for high-risk users.

This analysis is provided for informational purposes and does not constitute legal, regulatory, or professional security advice. All information is derived from published CVE records and vendor advisories current as of the knowledge cutoff date. Patch version numbers, availability, and remediation steps must be verified directly against Adobe's official security communications. Organizations should consult their own security teams and vendor resources before implementing changes. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor patches or timelines. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).