CVE-2026-47986: DOM-Based XSS in Adobe Experience Manager – CVSS 5.4 MEDIUM
Adobe Experience Manager contains a DOM-based cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious JavaScript code into web pages viewed by authenticated users. The vulnerability affects versions 6.5.24, LTS SP1, 2026.04 and earlier. An attacker must trick a user into visiting a specially crafted webpage while that user is logged into AEM; the malicious script then executes in the user's browser with their privileges. This can lead to unauthorized actions, data theft, or further compromise depending on the victim's role and permissions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a DOM-based XSS vulnerability (CWE-79) in Adobe Experience Manager where untrusted user input is processed and written to the DOM without proper sanitization. The vulnerability requires an authenticated user (PR:L) and user interaction (UI:R), and the attack scope is changed—meaning the impact extends beyond the vulnerable component itself. The CVSS 3.1 vector reflects low confidentiality and integrity impact but no availability impact. The attack vector is network-based (AV:N) with low attack complexity (AC:L), making it practical to exploit once a victim is lured to a malicious link or page.
Business impact
Authenticated attackers could perform session hijacking, steal sensitive data visible to the user, modify content or settings within AEM, impersonate the user for administrative actions, or establish persistence for further attacks. In a multi-tenant or enterprise environment where authors and admins use AEM extensively, successful exploitation could disrupt content workflows, compromise editorial integrity, or enable lateral movement. The requirement for user interaction limits mass exploitation but does not eliminate risk—social engineering or malicious links embedded in emails or messaging systems remain practical attack vectors.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are vulnerable. Organizations running these versions, particularly in web content management, digital marketing, or enterprise publishing roles, are directly affected. The vulnerability applies to all four vendor-product combinations listed (indicating multiple AEM deployments or configurations).
Exploitability
Exploitation requires crafting a malicious webpage or link and convincing an authenticated AEM user to visit it—a social engineering step that is achievable but not trivial. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no evidence of active, widespread exploitation in the wild as of the last update. However, the straightforward nature of DOM-based XSS means exploit code and proof-of-concept development are routine, and private exploitation is possible. The MEDIUM severity (5.4) reflects the practical barriers to large-scale attacks but underscores that targeted campaigns against specific organizations remain credible.
Remediation
Upgrade Adobe Experience Manager to a patched version released after 2026.04. Verify the exact patch version number and compatibility requirements in the official Adobe security advisory. Organizations unable to patch immediately should implement network controls to restrict AEM access to trusted networks, enforce multi-factor authentication for AEM user accounts, and educate users to avoid clicking suspicious links that reference AEM authoring interfaces.
Patch guidance
Apply the latest Adobe Experience Manager security patch released after June 2026. Consult Adobe's official security bulletin to confirm the exact patched version for your installed release (6.5.x, LTS SP1, or 2026.x). Test patches in a non-production environment to validate compatibility with custom code, extensions, and integrations before production deployment. Verify that patched systems are fully updated, as interim or partial updates may not address all aspects of the vulnerability.
Detection guidance
Monitor AEM access logs for unusual browser-based requests, rapid successive page visits from a single user session, or requests containing encoded JavaScript payloads in URL parameters or POST bodies. Web application firewalls (WAF) configured to detect and block DOM-based XSS patterns can provide real-time defense. Intrusion detection systems (IDS) may flag malicious payloads in HTTP traffic. Review browser-based attacks and anomalous user behavior in AEM analytics or user activity logs. Security testing tools such as static application security testing (SAST) or dynamic testing in staging environments can identify similar XSS patterns in custom AEM extensions.
Why prioritize this
Although the CVSS score is MEDIUM (5.4), this vulnerability should be prioritized for organizations with high-value or sensitive AEM deployments. AEM is often used to manage critical business content, compliance information, or customer-facing digital assets. The requirement for user interaction is a practical barrier, but authenticated users (authors, editors, admins) are frequent targets for phishing and social engineering. The change in scope increases potential impact beyond the application itself. Organizations with exposed AEM instances or those managing regulated content should patch promptly; others can follow standard patching cycles but should not defer indefinitely.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects: network-based attack vector (AV:N), low attack complexity (AC:L), requirement for valid AEM credentials (PR:L), user interaction needed to visit a malicious link (UI:R), changed scope affecting other components or systems (S:C), and limited confidentiality and integrity impact (C:L, I:L) with no availability impact (A:N). The authentication requirement and user interaction reduce the attack surface compared to an unauthenticated or no-interaction XSS, but the changed scope and realistic exploitation scenario justify a MEDIUM rating. Context-specific risk may be higher for organizations managing sensitive content or in regulated industries.
Frequently asked questions
Can this vulnerability be exploited against users who are not logged into AEM?
No. The vulnerability requires the victim to be an authenticated AEM user (PR:L in the CVSS vector). An attacker must craft a link or webpage that, when visited by a logged-in user, triggers the XSS payload. Unauthenticated visitors to public-facing websites powered by AEM are not directly vulnerable, but a compromised authenticated user could be leveraged to attack others.
Is this vulnerability currently being exploited in the wild?
There is no evidence of active exploitation as of the published date (June 2026). The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. However, the absence of public reports does not rule out targeted or private exploitation, especially against high-value AEM instances in enterprises or media organizations.
What is the difference between DOM-based XSS and other types of XSS?
DOM-based XSS occurs when malicious input is processed and written to the browser's DOM (Document Object Model) without sanitization, allowing JavaScript to execute in the user's context. Unlike reflected XSS (which bounces a payload off the server) or stored XSS (which persists on the server), DOM-based XSS is often triggered entirely within the client-side code path. This can make detection harder since the malicious payload may not appear in server logs.
If we enforce multi-factor authentication (MFA), does that eliminate the risk?
MFA protects the AEM login itself but does not prevent XSS once a user is authenticated. An attacker still needs to trick a logged-in user into visiting a malicious link. However, MFA does reduce the risk of account compromise through credential theft, which may limit the pool of compromised accounts that could be leveraged for XSS attacks. MFA is a valuable defense-in-depth control but not a complete mitigation for this specific vulnerability.
This analysis is based on information available as of June 2026. Patch version numbers, timelines, and vendor statements should be verified directly against Adobe's official security advisory and product documentation. This summary does not constitute legal or compliance advice. Organizations should assess risk in the context of their specific AEM deployment, data sensitivity, and threat model. Exploit code, proofs-of-concept, and weaponized tools are not provided; responsible disclosure practices are encouraged. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4