MEDIUM 5.4

CVE-2026-47987: Adobe Experience Manager DOM-Based XSS Vulnerability – CVSS 5.4 Analysis

Adobe Experience Manager contains a DOM-based cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into web pages. The flaw affects versions 6.5.24, LTS SP1, 2026.04 and earlier. An attacker would need to trick a user into visiting a specially crafted webpage to trigger the vulnerability. Once executed, the attacker's code runs in the victim's browser with the same privileges as the logged-in user, potentially allowing unauthorized actions or data theft.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a DOM-based XSS vulnerability (CWE-79) in Adobe Experience Manager that arises from improper handling of user-controlled input in the DOM environment. The vulnerability requires a logged-in user (PR:L) to visit a malicious webpage (UI:R), after which attacker-supplied JavaScript executes within the victim's security context. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component itself. The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N indicates network accessibility, low attack complexity, and impact limited to confidentiality and integrity—no availability impact.

Business impact

Exploitation could allow attackers to perform actions on behalf of authenticated users, such as modifying content, stealing session tokens, or capturing sensitive information displayed in the user's browser. For organizations running AEM as a content management or digital experience platform, this presents a risk to content integrity and user trust. The requirement for user interaction limits the attack surface, but the scope change means impacts could extend beyond the AEM instance itself if integrations or dependent systems are present.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected. Organizations using any of these versions should prioritize assessment and patching. Later versions are assumed to contain fixes; verify against Adobe's official security advisory for the exact patched versions available for your deployment track.

Exploitability

Exploitation requires delivery of a crafted webpage to an authenticated AEM user and user interaction (clicking a link or visiting the malicious page). This is not a pre-authentication attack and does not allow direct remote code execution on the server. The attack relies on social engineering or phishing to succeed. While exploitability is not trivial, the low attack complexity and lack of KEV designation suggest no known public exploits are currently circulating, reducing immediate exploit risk.

Remediation

Apply the security patch released by Adobe for your deployed version of Experience Manager. Consult Adobe's official security bulletin to identify the correct patched version for your specific track (6.5.x, LTS SP1, or 2026.x). In the interim, implement content security policy (CSP) headers to restrict script execution and enforce web application firewall rules that block suspicious DOM manipulation patterns. Educate users to avoid clicking unfamiliar links, especially from external sources.

Patch guidance

Check Adobe's official Experience Manager security advisory for the specific patch version applicable to your deployment. The vulnerability affects versions 6.5.24, LTS SP1, 2026.04 and earlier, so upgrades to versions released after these should address the issue. Test patches in a staging environment before production rollout to ensure compatibility with custom components and integrations.

Detection guidance

Monitor web access logs for unusual patterns targeting AEM authoring or publishing endpoints, particularly GET requests with suspicious query parameters or fragments. Look for DOM-based XSS patterns in application logs—repeated attempts to inject script tags or event handlers. Browser-based detection is limited; focus on network and application-level controls. Content Security Policy violation reports can flag blocked inline scripts. If AEM includes audit logging, review for unusual content modifications or session activity from authenticated users.

Why prioritize this

CVSS score of 5.4 (Medium) places this in the standard-priority category. However, prioritization should account for the authentication requirement (reducing risk for public-facing instances) and the lack of known public exploits. Organizations where AEM is externally accessible or receives untrusted traffic should prioritize patching earlier. Those with internal-only deployments can schedule patching within normal quarterly windows.

Risk score, explained

The CVSS 5.4 score reflects the combination of network-accessible attack vector, low attack complexity, and impact on confidentiality and integrity. However, the mandatory authentication requirement (PR:L) and user interaction (UI:R) significantly lower real-world exploitability compared to unauthenticated or automation-friendly attacks. The lack of availability impact and the absence of an active exploit in the wild further mitigate severity. Organizations should treat this as a legitimate but not critical vulnerability requiring timely remediation.

Frequently asked questions

Does this vulnerability allow attackers to run code on the AEM server itself?

No. This is a DOM-based XSS vulnerability, meaning the malicious JavaScript executes only in the victim's browser, not on the server. The attacker cannot directly compromise the AEM infrastructure, but can act on behalf of the logged-in user to manipulate content or steal session data.

Can this vulnerability be exploited without user interaction?

No. The vulnerability requires a victim to visit a crafted webpage. An attacker cannot exploit this by simply scanning the network or sending a packet. Social engineering or phishing is necessary to deliver the malicious page to a target user.

Are public-facing AEM instances at higher risk than internal ones?

Yes. If your AEM instance is exposed to the internet and accessible by untrusted users, the attack surface is larger. However, the vulnerability still requires the victim to be authenticated and to visit a malicious external page, so even public-facing instances have mitigating constraints.

Should we delay patching if we have a WAF (Web Application Firewall) in place?

A WAF can help reduce risk by blocking malicious payloads, but it is not a substitute for patching. WAFs rely on signature-based or behavior-based detection, which may have false negatives, especially for novel XSS variants. Patching the underlying vulnerability is the definitive fix.

This analysis is based on publicly disclosed vulnerability information current as of the publication date. Security assessments and patch availability may evolve. Always verify patch versions and deployment guidance directly with Adobe's official security advisory before implementing changes. This explainer is provided for informational purposes and does not constitute professional security advice tailored to your specific environment. Consult your security team and Adobe support for deployment-specific recommendations. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).