CVE-2026-48251: Adobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
Adobe Experience Manager (AEM) contains a vulnerability that allows attackers to inject malicious scripts into the DOM, which execute in users' browsers. This DOM-based cross-site scripting (XSS) flaw affects multiple versions of AEM up to and including 6.5.24, LTS SP1, and 2026.04. Exploitation requires an attacker to trick a user into visiting a specially crafted webpage, making it dependent on user interaction. Once the malicious page loads, the attacker's JavaScript runs within the victim's browser session, potentially allowing theft of session tokens, credential capture, or unauthorized actions on behalf of the user.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This DOM-based XSS vulnerability (CWE-79) resides in Adobe Experience Manager and allows an attacker to manipulate the Document Object Model environment to execute arbitrary JavaScript code. Unlike reflected or stored XSS, DOM-based XSS occurs when client-side JavaScript processes untrusted data unsafely, modifying the DOM in ways that lead to script execution. The vulnerability has a CVSS 3.1 score of 5.4 (MEDIUM severity) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, requirement for low privileges (authenticated user), mandatory user interaction, and changed scope. The low integrity and confidentiality impact reflects the attacker's ability to read and modify page content within the user's context rather than achieve system-level compromise.
Business impact
For organizations using AEM for content management, digital asset management, or customer-facing web experiences, this vulnerability presents a persistent risk to user sessions and data integrity. An attacker could impersonate legitimate users, redirect them to phishing sites, steal authentication tokens, modify displayed content, or perform unauthorized actions on their behalf. The requirement for user interaction and authenticated access somewhat constrains the threat, but the changed-scope nature of the vulnerability means impacts can ripple beyond the AEM application itself. Organizations should prioritize patching because compromised user sessions can lead to unauthorized data access or modification of critical marketing and content assets.
Affected systems
The vulnerability affects Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04, and earlier releases. Organizations running any of these versions are potentially vulnerable. To determine your exposure, audit all deployed instances of AEM and their version numbers, paying particular attention to customer-facing or high-value content authoring environments where privilege escalation or data theft poses the greatest risk.
Exploitability
Exploitability is moderate. The attack requires an authenticated user (low-privilege) and user interaction—specifically, the victim must visit an attacker-controlled or attacker-modified webpage. Network accessibility is straightforward over HTTP/HTTPS. The low attack complexity suggests the vulnerability is relatively straightforward to exploit once those preconditions are met. However, the requirement for both authentication and user interaction raises the bar compared to unauthenticated or no-interaction exploits. There is no evidence of active exploitation in the wild (KEV status is not assigned), but this does not eliminate the need for timely remediation, especially in high-trust environments where users may be more likely to click links.
Remediation
Patch affected AEM instances to versions newer than 6.5.24, LTS SP1, and 2026.04 as directed by Adobe's official security advisory. Verify patch availability and version numbers directly from Adobe. In parallel, apply defense-in-depth controls: validate and sanitize all DOM operations handling user-supplied data, enforce strict Content Security Policy (CSP) headers to limit JavaScript execution sources, and conduct code review of custom JavaScript in AEM applications. For environments with extended patching timelines, consider additional access controls to limit who can author or modify content that affects the DOM.
Patch guidance
Contact Adobe or consult Adobe's official security advisory to identify patched versions released after 2026.04. Establish a testing window in a non-production environment to validate compatibility before production rollout. Given the MEDIUM severity and the need for user interaction to exploit, balance rapid patching with thorough regression testing. Coordinate updates across all AEM instances (author, publisher, dispatcher) to maintain consistency. Document patching dates and versions for compliance and audit purposes.
Detection guidance
Monitor AEM logs for suspicious DOM manipulation patterns, unusual script injection attempts, or atypical authentication followed by content modification requests. Inspect browser console logs and network traffic on affected systems for unexpected script execution or modified DOM elements. Implement application performance monitoring (APM) or log aggregation to detect anomalous JavaScript execution patterns. Track user login events correlated with unusual content changes or redirects. Test your detection stack with DOM-based XSS payloads in a controlled lab to ensure sensors catch the attack pattern.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. It is a MEDIUM-severity XSS that requires both authentication and user interaction, restricting the threat surface compared to unauthenticated network attacks. However, AEM is often central to digital experiences and content integrity, and DOM-based XSS can compromise user sessions and enable credential theft or content tampering. No active exploitation has been reported (KEV not assigned), but the straightforward nature of DOM XSS exploits and the wide use of AEM suggest patches should be applied within standard security update windows. Prioritize author and customer-facing instances ahead of internal-only deployments.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects the balance between a relatively accessible attack surface (network-based, low complexity) and meaningful constraints (authentication, user interaction required). The changed-scope metric elevates impact slightly by allowing the attacker's actions to affect resources beyond the vulnerable application. Confidentiality and integrity impacts are limited (low ratings) because the attacker gains the privileges of the user whose session they compromise rather than achieving administrative control or bypassing security boundaries. This is a legitimate risk but not a critical emergency, making it suitable for inclusion in the next scheduled patch cycle.
Frequently asked questions
Can this vulnerability be exploited without an authenticated user visiting a malicious webpage?
No. The vulnerability requires two conditions: the attacker must be an authenticated user (or trick an authenticated user into visiting the malicious page), and the victim must actively navigate to a crafted webpage. There is no evidence of wormable or self-propagating variants.
What versions of Adobe Experience Manager are vulnerable?
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04, and all earlier versions are affected. Verify the exact patched version from Adobe's official security advisory, as patch numbering may vary across product lines.
Does this vulnerability allow an attacker to gain admin access to AEM?
No. The vulnerability allows an attacker to execute JavaScript within a victim's browser session at the victim's privilege level. It does not grant the attacker higher privileges than the compromised user possesses. However, if the compromised user holds administrative rights, the attacker's actions will carry those rights.
Is there active exploitation of this vulnerability?
This vulnerability has not been assigned to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed evidence of active, widespread exploitation at this time. Nonetheless, DOM-based XSS is a well-understood attack pattern, and timely patching is advisable.
This analysis is based on vendor-supplied information and public vulnerability data as of the publication date. Patch versions, compatibility details, and KEV status may change; verify current status directly with Adobe's official security advisories and update bulletins. This explainer does not constitute legal or compliance advice. Organizations must conduct their own risk assessment and testing before applying patches to production systems. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4