Adobe Experience Manager: 25 Vulnerabilities Disclosed, Mostly XSS and Memory Corruption
Key findings • 25 vulnerabilities disclosed for Adobe Experience Manager, InDesign, and InCopy on June 9, 2026. • Critical and High severity flaws include stored/reflected XSS and memory corr…
Key findings
- 25 vulnerabilities disclosed for Adobe Experience Manager, InDesign, and InCopy on June 9, 2026.
- Critical and High severity flaws include stored/reflected XSS and memory corruption bugs (buffer overflows, OOB writes).
- Arbitrary code execution is possible in InDesign/InCopy via malicious file opening.
- Adobe Experience Manager vulnerabilities include XSS, input validation bypass, and potential account takeover.
- All affected AEM versions are patched in a single update; InDesign/InCopy patches are also available.
- The disclosure spans memory corruption, XSS, and security bypass vulnerabilities across multiple Adobe products.
Adobe Inc. addressed a significant batch of 25 security vulnerabilities on June 9, 2026, impacting its Adobe Experience Manager (AEM) product, as well as InDesign and InCopy. The vulnerabilities, disclosed within a one-hour window, range in severity from Low to Critical, with many posing a risk of arbitrary code execution or sensitive data disclosure. This coordinated disclosure event highlights a broad range of weaknesses across Adobe's creative and enterprise software.
The majority of the disclosed vulnerabilities affect Adobe Experience Manager Forms JEE and AEM itself. These include a critical stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-34691) with a CVSSv3 score of 9.3, and a high-severity reflected XSS vulnerability (CVE-2026-34693). Several other stored XSS vulnerabilities (CVE-2026-34694, CVE-2026-48304, CVE-2026-48301, CVE-2026-48300, CVE-2026-48299, CVE-2026-48297) were also disclosed, with CVSS scores ranging from Medium to Medium-High. These XSS flaws could allow attackers to inject malicious scripts into vulnerable form fields or web pages, potentially leading to session hijacking or unauthorized access.
Beyond XSS, AEM is also affected by two Improper Input Validation vulnerabilities (CVE-2026-48289, CVE-2026-48288), both rated Low severity. These could enable a low-privileged attacker to bypass security measures and gain unauthorized write access. As noted in related coverage, an Improper Redirect vulnerability could also lead to account takeover, though a specific CVE for this was not detailed in the provided data.
Separately, Adobe InDesign Desktop and InCopy are impacted by a cluster of high-severity vulnerabilities. These include out-of-bounds writes (CVE-2026-48293, CVE-2026-34700, CVE-2026-34706), stack-based buffer overflows (CVE-2026-34708, CVE-2026-34702, CVE-2026-34695, CVE-2026-34697), heap-based buffer overflows (CVE-2026-34707, CVE-2026-34701, CVE-2026-34699, CVE-2026-34698), and a use-after-free vulnerability (CVE-2026-34696). All these vulnerabilities carry a CVSSv3 score of 7.8 and require user interaction, typically by opening a malicious file, to achieve arbitrary code execution in the context of the current user.
Additionally, InDesign Desktop is affected by medium-severity vulnerabilities including an out-of-bounds read (CVE-2026-34705) that could lead to sensitive memory disclosure, and NULL pointer dereferences (CVE-2026-34704, CVE-2026-34703) that could result in application denial-of-service.
According to related reporting, all affected versions of Adobe Experience Manager, including 6.5.24, LTS SP1, and 2026.04, are addressed in a single update. Users are strongly advised to apply the latest patches to mitigate the risks associated with these numerous vulnerabilities. The broad scope of this disclosure underscores the importance of timely patching for Adobe products, especially those handling user-generated content or complex file formats.
This batch of vulnerabilities, disclosed simultaneously, presents a significant security challenge for users of both Adobe's creative suite and its enterprise content management system. The prevalence of memory corruption bugs in InDesign/InCopy and XSS flaws in AEM necessitates prompt attention from administrators and end-users alike to secure their systems against potential exploitation.
This update from SecurityWeek confirms that Adobe has released patches for a total of 123 vulnerabilities across its product suite. While the previous article focused on 25 specific vulnerabilities in Adobe Experience Manager, InDesign, and InCopy, this new information broadens the scope to include numerous other Adobe products, with a significant number of the total flaws also allowing for arbitrary code execution.