Adobe Experience Manager: 25 Vulnerabilities Disclosed, Mostly Stored and DOM XSS
Adobe Experience Manager faces a significant disclosure of 25 vulnerabilities, predominantly Cross-Site Scripting flaws, all patched in a single update.
Key findings
- 25 vulnerabilities disclosed for Adobe Experience Manager on June 9, 2026.
- The majority of disclosed flaws are stored and DOM-based Cross-Site Scripting (XSS) vulnerabilities.
- Two Improper Input Validation vulnerabilities could allow unauthorized write access.
- An Improper Redirect vulnerability could lead to account takeover.
- All affected versions, including 6.5.24, LTS SP1, and 2026.04, are patched in a single update.
- Attackers could leverage these flaws to inject malicious scripts or redirect users to malicious sites.
Adobe Inc. has addressed a substantial batch of 25 security vulnerabilities affecting its Experience Manager (AEM) product. All disclosed on June 9, 2026, these issues predominantly fall into the category of Cross-Site Scripting (XSS), with a few related to improper input validation and open redirects. The vulnerabilities impact AEM versions 6.5.24, LTS SP1, 2026.04, and earlier, and have been resolved in a unified security update.
The majority of the disclosed vulnerabilities are stored Cross-Site Scripting (XSS) flaws, identified by CVEs such as CVE-2026-48304, CVE-2026-48301, CVE-2026-48300, CVE-2026-48299, CVE-2026-48297, and CVE-2026-47990. These vulnerabilities could allow a low-privileged attacker to inject malicious scripts into vulnerable form fields. When a victim browses these fields, the malicious JavaScript could be executed within their browser context, potentially leading to session hijacking or other malicious actions.
Adding to the XSS concerns, a significant number of DOM-based XSS vulnerabilities were also disclosed. These include CVE-2026-48280, CVE-2026-48271, CVE-2026-48268, CVE-2026-48266, CVE-2026-48265, CVE-2026-48264, CVE-2026-48258, CVE-2026-48256, CVE-2026-48251, CVE-2026-48250, CVE-2026-47993, CVE-2026-47989, CVE-2026-47987, CVE-2026-47986, and CVE-2026-47983. These vulnerabilities are exploitable by manipulating the Document Object Model (DOM) environment, enabling attackers to execute malicious JavaScript within the victim's browser.
Beyond XSS, two vulnerabilities related to Improper Input Validation were detailed: CVE-2026-48289 and CVE-2026-48288. These low-severity flaws (CVSSv3 3.5) could permit a low-privileged attacker to bypass security measures and gain unauthorized write access. Additionally, CVE-2026-47991, rated with a medium severity of CVSSv3 4.3, is an Improper Redirect (Open Redirect) vulnerability. This could be exploited by an attacker constructing a malicious URL that redirects a victim to an attacker-controlled site, potentially leading to account takeover scenarios.
All 25 vulnerabilities were disclosed simultaneously on June 9, 2026, indicating a coordinated patching effort by Adobe. The affected versions span across multiple release lines, including 6.5.24, LTS SP1, and 2026.04. Adobe has provided a unified security update to address all these issues, urging users to apply the patches promptly to mitigate the risks associated with these flaws.
Given the prevalence of XSS vulnerabilities, which can be used for phishing, credential theft, and session hijacking, users of Adobe Experience Manager are strongly advised to update their installations as soon as possible. The simultaneous disclosure suggests that Adobe has a comprehensive patch available, and delaying the update could leave systems exposed to known and potentially exploitable weaknesses.