MEDIUM 5.4

CVE-2026-47982: Adobe Experience Manager DOM-XSS Vulnerability (CVSS 5.4)

Adobe Experience Manager (AEM) contains a cross-site scripting (XSS) flaw in versions 6.5.24, LTS SP1, 2026.04 and earlier. An attacker can craft a malicious webpage that, when visited by an authenticated AEM user, executes arbitrary JavaScript in the user's browser session. The attack manipulates the page's DOM to inject and run hostile code, potentially allowing the attacker to steal session tokens, modify content, or perform actions on behalf of the victim. Because exploitation requires the victim to actively visit a malicious page, this is a lower-risk variant of XSS, but it can still escalate to account compromise or unauthorized modifications within AEM.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This DOM-based XSS vulnerability (CWE-79) resides in Adobe Experience Manager and can be triggered through user-controlled DOM manipulation. The vulnerability exists because user input is not properly sanitized or validated before being used to modify the DOM. An authenticated user with login credentials must be directed to a malicious URL crafted by the attacker. Once the victim's browser loads the page, the malicious payload executes within the security context of their AEM session, potentially allowing the attacker to access sensitive data or alter application state. The attack vector is network-based, requires low complexity to execute, and necessitates both prior authentication and user interaction (clicking a link). The scope change indicator suggests the vulnerability may affect resources outside the vulnerable component itself, though the impact is limited to confidentiality and integrity breaches—no availability impact is indicated.

Business impact

For organizations running AEM to manage digital content and customer experiences, this vulnerability poses a moderate risk. Compromised user sessions could allow unauthorized content modifications, defacement, or extraction of sensitive marketing or customer data stored within AEM. The requirement for user interaction and prior authentication limits the attack surface compared to unauthenticated exploits, but any authenticated user—including those with routine editorial permissions—can be targeted. In multi-tenant environments or where AEM is used for customer-facing content, the reputational damage from unauthorized modifications may be significant. The impact depends on the privileges of the compromised user account.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and all earlier versions in these release lines are vulnerable. Organizations must inventory their AEM deployments and identify which version branch is in use. The vulnerability affects all instances of these versions unless patched; there is no version-level workaround mentioned in the initial advisory.

Exploitability

This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no verified public exploits or in-the-wild attacks have been reported as of the publication date. However, the attack vector is straightforward: an attacker crafts a malicious URL and distributes it via email, social engineering, or advertisement. The requirement for an authenticated user to click the link and the need for the attacker to craft a working DOM-manipulation payload introduces friction, but both are achievable by motivated adversaries. Given the moderate CVSS score of 5.4 and the absence of public exploit code, this is unlikely to be mass-exploited in the near term, though targeted attacks against high-value AEM users remain plausible.

Remediation

Adobe has published patches for affected AEM versions. Organizations should consult Adobe's official security advisory to identify the specific patched version for their release branch (6.5.x, LTS SP1, or 2026.x) and apply updates as soon as feasible. Patching should be prioritized based on the user population and the sensitivity of content managed within each AEM instance. In environments where immediate patching is not possible, apply input validation and output encoding controls at the application or WAF level to prevent DOM-based script injection. Monitor user sessions for suspicious activity and consider restricting access to AEM authoring environments to trusted networks or requiring additional authentication factors.

Patch guidance

Contact Adobe directly or consult the official Adobe Experience Manager security advisory for the specific version numbers of patched releases. Verify patch availability for your exact AEM version branch before deployment. Test patches in a non-production environment to ensure no disruption to content delivery or authoring workflows. Given the moderate severity and the requirement for user interaction, patching can be scheduled within your standard maintenance windows, though high-traffic or high-risk AEM instances should be prioritized. Enable security update notifications from Adobe to stay informed of future advisories affecting your deployed versions.

Detection guidance

Monitor application logs and browser console errors for evidence of DOM manipulation or unexpected script execution. Web Application Firewalls (WAF) should be configured to detect and block requests containing common DOM-XSS payloads (e.g., excessive use of JavaScript event handlers, dynamic eval, or suspicious DOM method calls). Endpoint Detection and Response (EDR) solutions can flag unusual JavaScript execution within browser processes. Security Information and Event Management (SIEM) systems should correlate failed or suspicious AEM session activity with web proxy logs to identify users who may have visited malicious sites. Search AEM access logs for crafted URLs or unusual query parameters associated with reported attacks.

Why prioritize this

While the CVSS score of 5.4 places this in the MEDIUM severity band, the lack of known public exploitation, combined with the requirement for user interaction and prior authentication, means this should be treated as important but not critical. Prioritize patching for AEM instances that manage sensitive content, support high-privilege user accounts, or are exposed to external users. Lower-priority patching can be applied to internal-only or low-sensitivity AEM deployments as part of routine maintenance. The absence of KEV listing suggests this is not yet a widespread threat, affording teams time for careful planning and testing before deployment.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects the confluence of attack vector (network-accessible), low attack complexity, low-privilege requirement (authenticated user), low impact (confidentiality and integrity only, no availability loss), and the need for user interaction. The 'S:C' (Scope Changed) modifier acknowledges the potential for the compromise to extend beyond the vulnerable component. This is a moderate-risk vulnerability that warrants prompt but not emergency attention, particularly if exploited against users with elevated permissions or access to critical content.

Frequently asked questions

Do we need to patch all our AEM instances immediately, or can we prioritize?

Prioritize based on the sensitivity of content managed and the user population served. High-risk instances managing financial, healthcare, or proprietary content, or supporting executive users, should be patched first. Internal content repositories or low-sensitivity sites can be included in the next scheduled maintenance window. Because the vulnerability requires user interaction, you have time for careful planning and testing.

Our AEM instance is behind a WAF and restricted to internal networks. Is our risk lower?

Yes. Internal-only instances with additional network controls reduce the likelihood of an attacker successfully delivering a malicious URL to a victim user. However, insider threats and social engineering remain possible, so patching is still recommended as part of a defense-in-depth strategy. A WAF can provide temporary additional protection by filtering known XSS payloads, but it is not a substitute for patching.

What should we do if we suspect a user has visited a malicious AEM link?

Review that user's session activity logs for unauthorized content modifications or data access. Reset the user's credentials and review any actions taken during the potentially compromised session. Check for signs of further lateral movement or persistence within your AEM environment. If unauthorized changes were made, you may need to restore from backups and notify stakeholders of the exposure.

Is this vulnerability exploitable without an AEM login?

No. The vulnerability requires the victim to be an authenticated AEM user. An attacker must first either have valid credentials, or trick a legitimate user into visiting a malicious page while their AEM session is active. This limits the attack surface compared to unauthenticated vulnerabilities.

This analysis is based on vendor advisories and public vulnerability data current as of the publication date. Organizations should consult Adobe's official security advisory for the most up-to-date patch versions and compatibility information before applying any updates. SEC.co does not provide exploit code or detailed attack walkthroughs. All security recommendations should be validated in your own environment before production deployment. Threat landscape and exploit availability may change; monitor official vendor channels and security alerts for updates. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).