CVE-2026-47947: Adobe Experience Manager DOM-Based XSS Vulnerability – CVSS 5.4
Adobe Experience Manager contains a DOM-based cross-site scripting (XSS) flaw that allows attackers to inject malicious JavaScript into web pages viewed by authenticated users. The vulnerability affects multiple AEM versions through 6.5.24, LTS SP1, and 2026.04. Successful exploitation requires convincing a user to visit an attacker-controlled or compromised webpage while logged into an affected AEM instance. The attacker's code would then execute with the victim's privileges, potentially stealing session data, modifying content, or performing actions on their behalf.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a DOM-based XSS vulnerability (CWE-79) in Adobe Experience Manager that arises from improper sanitization of user-controlled input reflected in the browser's DOM. The vulnerability has a CVSS v3.1 score of 5.4 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The attack surface is network-accessible, requires low attack complexity, mandates prior authentication (PR:L), and depends on user interaction to trigger. The 'Scope Changed' designation indicates that compromised context can affect resources beyond the vulnerable component. Affected versions include 6.5.24, LTS SP1, 2026.04, and earlier releases.
Business impact
Organizations running AEM for digital asset management, content publishing, or multi-tenant customer portals face potential unauthorized content modification, data exfiltration, and privilege abuse. Authenticated users—including content editors, marketers, and administrators—could be tricked into visiting malicious links that hijack their sessions. In multi-tenant environments, an attacker exploiting this against one user could potentially pivot to affect other users' content or workflows. The medium severity score reflects the need for user interaction and authentication, but the changed scope and ability to modify content warrant prompt attention in environments handling sensitive or revenue-critical digital properties.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04, and all earlier versions are vulnerable. Organizations should audit their current AEM deployment version immediately. Adobe typically provides separate update tracks for stable releases and long-term support (LTS) versions, so patch availability and timelines may differ by release line. Verify your exact version via the AEM console and cross-reference against the vendor advisory for applicable fixes.
Exploitability
The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread active exploitation has been reported as of the publication date. However, the simplicity of DOM-based XSS attacks and the high user interaction likelihood in AEM environments make this a realistic threat. Attackers could craft phishing emails or compromise legitimate websites to host malicious payloads, lowering the barrier to exploitation. The requirement for prior authentication means only users with AEM access are at risk, which typically limits the blast radius but does not eliminate it for organizations with broad user bases.
Remediation
Apply the security patch from Adobe as soon as it becomes available for your specific AEM version and service pack. Adobe typically releases patches through their regular maintenance release cycles. Until patching is complete, restrict AEM access to trusted networks, enforce strong authentication controls (multi-factor authentication where possible), and educate users about the risks of clicking untrusted links while logged into AEM. Content Security Policy (CSP) headers may provide defense-in-depth, though they are not a substitute for patching.
Patch guidance
Contact Adobe support or consult the Adobe Experience Manager security bulletin for your specific version line (6.5, LTS SP1, 2026.04) to obtain the patched release. Test patches in a non-production environment before rolling out to live systems, as AEM updates can affect plugin compatibility and content workflows. Verify that the patch version number is listed as addressing CVE-2026-47947. Maintain a documented schedule for applying patches across all AEM instances in your organization.
Detection guidance
Monitor web application firewalls (WAFs) and AEM logs for DOM manipulation attempts, unusual JavaScript execution, and requests containing JavaScript payloads in query parameters or POST data. Anomalous behavior by authenticated AEM users—such as sudden content modifications outside normal workflows or access to sensitive administrative functions—may indicate session hijacking. Use browser security tooling and Content Security Policy violation reports to detect XSS attempts. Log authentication events and user actions for forensic review if a compromise is suspected.
Why prioritize this
Although the CVSS score is MEDIUM and no public exploitation exists, this vulnerability merits prompt prioritization because: (1) DOM-based XSS in content management platforms can directly undermine organizational credibility if malicious content is published; (2) affected versions are widely deployed in enterprise environments; (3) the changed scope increases risk in shared or multi-tenant settings; and (4) authentication requirement does not reduce risk proportionally in organizations with large AEM user bases. Prioritize environments where AEM is customer-facing or handles high-value digital assets.
Risk score, explained
The CVSS v3.1 score of 5.4 (MEDIUM) reflects: Network attack vector (widely exploitable), low attack complexity (straightforward XSS payload delivery), and required user authentication and interaction (reducing likelihood). The 'Scope Changed' component elevates concern beyond the typical impact of a user-initiated XSS, as the compromised AEM context can affect broader application resources. Integrity and Confidentiality are impacted at low levels, with no availability impact expected. The score appropriately captures a real but not catastrophic risk; however, organizational context—such as AEM's role in your workflow and the sensitivity of managed assets—should inform your internal risk assessment.
Frequently asked questions
Do I need to be an AEM administrator for this vulnerability to affect me?
No. Any authenticated AEM user (content editor, marketer, approver, etc.) can be targeted. An attacker crafts a malicious link, and if an authenticated user clicks it while logged into an affected AEM instance, the attacker's code executes with that user's permissions. You do not need administrative rights to be compromised, though the impact depends on the victim's role.
Can this vulnerability be exploited without any user action?
No. The vulnerability requires a victim to click a malicious link or visit a crafted webpage. There is no automatic, unauthenticated attack path. This requirement for user interaction—combined with the need for prior authentication to the AEM system—significantly limits exploitability but does not eliminate the risk in environments with security awareness gaps.
How does this differ from a reflected XSS or stored XSS?
A DOM-based XSS occurs when untrusted data in the DOM environment is processed insecurely by client-side JavaScript, rather than being injected server-side. The attacker manipulates the victim's browser state directly. For your purposes, the risk and remediation are similar: patch promptly, educate users, and implement input validation and output encoding on both client and server sides.
Is there a workaround if I cannot patch immediately?
Workarounds are limited. Network segmentation to restrict AEM access, multi-factor authentication to reduce session hijacking impact, and user awareness training to discourage clicking suspicious links can lower risk. However, these do not eliminate the vulnerability. Prioritize patching as soon as vendor guidance is available and your testing cycle permits.
This analysis is based on publicly available vulnerability data as of the publication date. Patch availability, affected version details, and vendor remediation timelines are subject to change. Consult the official Adobe Experience Manager security bulletin for definitive patch version numbers and remediation instructions. SEC.co does not endorse or facilitate exploitation of any vulnerability. Organizations should conduct their own risk assessment based on their specific AEM environment, user base, and data sensitivity. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4