CVE-2026-47946: Adobe Experience Manager DOM-Based XSS Vulnerability
Adobe Experience Manager contains a DOM-based Cross-Site Scripting vulnerability that allows an attacker to inject malicious JavaScript code into a victim's browser session. The attack requires a logged-in user to visit a specially crafted webpage, at which point the attacker's script executes with the victim's privileges within the AEM application context. This can lead to unauthorized actions, data theft, or session hijacking depending on the victim's role and permissions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a DOM-based XSS vulnerability (CWE-79) affecting Adobe Experience Manager. Unlike reflected or stored XSS, DOM-based XSS occurs when untrusted data is processed by client-side JavaScript without proper sanitization, allowing an attacker to manipulate the DOM to execute arbitrary code. The vulnerability exists in versions 6.5.24, LTS SP1, 2026.04 and earlier. The CVSS 3.1 score of 5.4 (MEDIUM) reflects that exploitation requires authentication and user interaction, but the scope change indicates the vulnerability can affect resources beyond the vulnerable component itself. The attack vector is network-based with low attack complexity.
Business impact
While marked as MEDIUM severity, this vulnerability poses meaningful risk to organizations using AEM for content management and digital experiences. Compromise of an authenticated user account could enable attackers to steal session tokens, modify published content, alter page behavior for other visitors, or execute actions on behalf of the victim. For organizations where content integrity and brand trust are critical, even limited XSS exploitation can damage reputation and customer confidence.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier are affected. Organizations running these versions should inventory their AEM deployments by version and determine exposure based on whether affected instances are internet-facing and which user roles have access to vulnerable functionality.
Exploitability
Exploitation requires a valid AEM user account and victim interaction—the attacker must trick an authenticated user into visiting a malicious webpage. This is not a zero-click vulnerability. However, for organizations with broad AEM user bases (authors, editors, administrators), social engineering campaigns targeting these users are plausible. The attack does not require special tools or advanced exploit code; standard web browser mechanisms suffice. Exploitation is rated as feasible but not trivial.
Remediation
Apply the latest security patches from Adobe immediately. Adobe typically releases patches through regular security bulletins; verify the specific patched version numbers against the official Adobe Security Bulletin for CVE-2026-47946. Until patching is feasible, consider implementing Web Application Firewalls (WAF) rules to detect and block DOM-based XSS patterns, restricting AEM access to trusted networks, and educating users to avoid clicking links from untrusted sources that reference AEM instances.
Patch guidance
Monitor Adobe's official security advisories for patch releases addressing this CVE. When updates become available, prioritize patching internet-facing AEM instances first. Test patches in a staging environment that mirrors production configuration before deployment. Given the requirement for user interaction, patching can be scheduled during normal maintenance windows rather than as emergency out-of-band work, though this should be completed within 30 days of patch availability.
Detection guidance
Monitor AEM access logs for suspicious parameter values or unusual DOM manipulation patterns in request payloads. Web Application Firewalls can detect common XSS payloads in HTTP requests. Client-side detection is difficult without end-user browser monitoring. Implement Content Security Policy (CSP) headers on AEM instances to restrict script execution and limit the blast radius of any successful injection. Log and alert on failed authentication attempts and anomalous session behavior.
Why prioritize this
Although rated MEDIUM severity with low CVSS score, this vulnerability warrants prompt attention because it affects a widely-deployed enterprise content management platform, requires only user-level authentication and social engineering to exploit, and can enable account takeover or data theft. The scope change indicates cross-boundary impact. Organizations should patch within 30 days; however, this is not an emergency zero-day requiring immediate disruption.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects the authentication requirement (PR:L), user interaction necessity (UI:R), and low confidentiality/integrity impact. However, the scope change (S:C) elevates concern by indicating the vulnerability can affect other users or systems. This is a classic case where the numeric score may underestimate organizational risk if AEM is a critical platform with many active users.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The attacker must trick a victim into visiting a crafted webpage while logged into AEM. This is not a zero-click vulnerability and requires social engineering or phishing to succeed.
What user roles are at risk?
Any authenticated AEM user (authors, editors, administrators, marketers) can be targeted. The impact depends on the victim's permissions; compromising an administrator account is more dangerous than compromising a content editor account.
Is this vulnerability currently being exploited in the wild?
This CVE has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been publicly documented as of the publication date. However, absence from KEV does not guarantee no exploitation is occurring; maintain defensive posture regardless.
What is the difference between this DOM-based XSS and other XSS types?
DOM-based XSS is triggered entirely on the client side when JavaScript processes untrusted input without sanitization. Reflected XSS relies on server-side reflection, and stored XSS persists in a database. DOM-based XSS is often harder to detect because malicious payloads may not appear in server logs.
This analysis is provided for informational purposes and reflects publicly available information as of June 2026. Patch version numbers and availability must be verified against the official Adobe Security Bulletin for CVE-2026-47946. Organizations should conduct their own risk assessment based on their specific AEM deployment, user base, and network architecture. No exploit code or weaponized proof-of-concept is provided herein. SEC.co does not guarantee the accuracy or completeness of this analysis and recommends consulting Adobe documentation and your security vendor for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4