CVE-2026-48250: Adobe Experience Manager DOM-Based XSS Vulnerability (CVSS 5.4)
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that allows attackers to inject and execute malicious JavaScript in a victim's browser. The vulnerability affects multiple AEM versions (6.5.24, LTS SP1, 2026.04 and earlier) and requires an authenticated user to visit a specially crafted webpage. While the attack requires user interaction and authentication, the scope change means the attacker's privileges can impact resources beyond the vulnerable application itself.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This DOM-based XSS vulnerability (CWE-79) exists in Adobe Experience Manager and can be triggered through manipulation of the Document Object Model. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network accessibility, low attack complexity, and requirement for low-privilege authenticated access plus user interaction. The scope change (S:C) means successful exploitation can affect confidentiality and integrity of resources beyond the immediate vulnerable component. This is distinct from reflected or stored XSS and may be harder to detect through standard network inspection.
Business impact
Compromised user sessions within AEM instances could lead to unauthorized data modification, theft of sensitive content managed within AEM repositories, or manipulation of digital assets and web properties managed through the platform. Organizations using AEM to manage customer-facing content face reputational risk if attackers modify published materials. The requirement for authentication and user interaction limits blast radius, but persistent attacks against administrative users could yield significant control over content systems.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier are affected. Organizations must inventory their AEM deployments to identify which versions are in production. The broad version range suggests this vulnerability affects both legacy and relatively recent releases, making patching coordination potentially complex for enterprises managing multiple AEM instances.
Exploitability
Exploitation requires three conditions: (1) the target must be an authenticated AEM user, (2) they must visit a malicious webpage controlled or modified by the attacker, and (3) their browser must process the crafted DOM manipulation. This is not an unauthenticated remote code execution scenario. However, once an attacker identifies a user with AEM access, phishing or watering-hole attacks become viable delivery mechanisms. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Apply security updates from Adobe for the affected AEM versions. Since multiple version branches are affected (6.5.x, LTS SP1, and 2026.04), consult Adobe's security advisory to confirm the patched versions for your specific release line. Organizations unable to patch immediately should restrict AEM access to trusted networks, enforce strict Content Security Policy headers, and educate users not to click untrusted links while authenticated to AEM.
Patch guidance
Contact Adobe or review their official security bulletin for patched versions applicable to your deployment. Verify the patch version against Adobe's advisory before deployment. Test patches in a staging environment that mirrors production AEM configuration. Given the authentication requirement, prioritize patching instances accessible to users beyond your security team (e.g., content editors, administrators). Monitor Adobe's support portal for any patch compatibility notes with custom AEM extensions or integrations.
Detection guidance
Monitor application logs for unusual DOM manipulation or JavaScript execution patterns in AEM. Look for access logs showing authenticated users visiting unexpected external URLs or iframes within AEM interfaces. Content Security Policy violation reports can surface attempted XSS payloads. Network detection is challenging since the payload executes client-side; focus on browser-based telemetry if available. If you maintain AEM audit logs, review them for modifications made by administrative accounts around the time of suspected compromise.
Why prioritize this
Although the CVSS score is medium (5.4), this vulnerability should be prioritized based on the scope change, which indicates potential for lateral impact. Authentication and user interaction requirements reduce immediate risk, but AEM instances managing high-value digital assets or customer-facing content warrant faster remediation. Organizations with restrictive network access to AEM can defer patching slightly; those with broader user bases should patch sooner.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects low attack complexity and network accessibility offset by the authentication requirement and user interaction trigger. The scope change elevates concern beyond a standard reflected XSS because the attacker's actions can affect the confidentiality and integrity of resources outside the immediate vulnerable component—potentially impacting downstream systems or other users relying on AEM-managed content. The absence of availability impact (no denial of service) keeps the score from rising higher.
Frequently asked questions
Do we need to patch immediately if AEM is only accessible to our internal network?
Internal-only deployments reduce exposure from watering-hole or external phishing attacks, but insider threats and compromised internal systems can still deliver the malicious webpage. Patch within your standard change control window, but prioritize if your user base includes employees with high-value system access or if you manage sensitive content.
Can this vulnerability be exploited without the user clicking anything?
No. The vulnerability requires user interaction—specifically visiting a crafted webpage. It is not a drive-by download or auto-executing vulnerability. However, social engineering, phishing, or embedding the payload on a legitimate site the user frequents can all facilitate delivery.
Does a Web Application Firewall or Content Security Policy prevent this attack?
A properly configured CSP can block inline script execution and restrict DOM manipulation, making exploitation significantly harder. WAF rules may catch obvious payloads, but DOM-based XSS often evades signature detection because the malicious input is processed client-side. CSP is a strong complementary control while you prepare patches.
Is this vulnerability included in CISA's Known Exploited Vulnerabilities list?
No, as of the published date, this vulnerability is not listed in CISA's KEV catalog. This does not guarantee it is unexploited in the wild; it means there is no confirmed public evidence of active exploitation. Monitor threat intelligence feeds and Adobe's advisories for any updates.
This analysis is based on vulnerability data published as of June 2026 and the vendor's initial advisory. Patch versions, detailed attack vectors, and exploitation status may evolve. Always verify patch applicability against Adobe's official security bulletin and test in a non-production environment before deployment. SEC.co does not host or distribute exploit code and does not condone unauthorized access to systems. Organizations are responsible for validating the security posture of their own environments. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4