Search

Find a vulnerability

Search criteria

    26 vulnerabilities found for Adobe Experience Manager 6.5 by Adobe

    CVE-2026-48359 (GCVE-0-2026-48359)

    Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
    Summary
    Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48359",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:00:16.843850Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:31:23.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 9.6,
                "environmentalSeverity": "CRITICAL",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 9.6,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:48.564Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48359",
        "datePublished": "2026-07-14T19:21:00.902Z",
        "dateReserved": "2026-05-21T15:28:38.140Z",
        "dateUpdated": "2026-07-15T19:38:48.564Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48355 (GCVE-0-2026-48355)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48355",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:35:14.413173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:35:28.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:49.677Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48355",
        "datePublished": "2026-07-14T19:20:58.668Z",
        "dateReserved": "2026-05-21T15:28:38.140Z",
        "dateUpdated": "2026-07-15T19:38:49.677Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48310 (GCVE-0-2026-48310)

    Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
    Summary
    Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 8.6,
                "environmentalSeverity": "HIGH",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "NONE",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "NONE",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 8.6,
                "temporalSeverity": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:47.460Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48310",
        "datePublished": "2026-07-14T19:21:02.330Z",
        "dateReserved": "2026-05-21T15:28:38.136Z",
        "dateUpdated": "2026-07-15T19:38:47.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48263 (GCVE-0-2026-48263)

    Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48263",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:37:41.203594Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:37:53.715Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:45.696Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48263",
        "datePublished": "2026-07-14T19:21:00.097Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:45.696Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48262 (GCVE-0-2026-48262)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:06:44.676085Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:06:54.220Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:46.411Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48262",
        "datePublished": "2026-07-14T19:20:56.503Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:46.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48261 (GCVE-0-2026-48261)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48261",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:53:40.627102Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T15:12:26.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:50.038Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48261",
        "datePublished": "2026-07-14T19:20:57.976Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:50.038Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48260 (GCVE-0-2026-48260)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48260",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:21:00.346707Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T13:21:11.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:47.109Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48260",
        "datePublished": "2026-07-14T19:20:59.376Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:47.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48259 (GCVE-0-2026-48259)

    Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)
    Summary
    Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF) (CWE-918)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:00:17.582695Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:31:09.605Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 9.6,
                "environmentalSeverity": "CRITICAL",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 9.6,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery (SSRF) (CWE-918)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:48.192Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48259",
        "datePublished": "2026-07-14T19:21:01.631Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:48.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48257 (GCVE-0-2026-48257)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:46.060Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48257",
        "datePublished": "2026-07-14T19:20:54.339Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:46.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48255 (GCVE-0-2026-48255)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48255",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:40:17.336449Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:40:39.788Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:48.918Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48255",
        "datePublished": "2026-07-14T19:20:55.054Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:48.918Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48254 (GCVE-0-2026-48254)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:06:24.971766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:06:32.466Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:46.763Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48254",
        "datePublished": "2026-07-14T19:20:53.631Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:46.763Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48253 (GCVE-0-2026-48253)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48253",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:54:04.102395Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T15:12:31.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:49.301Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48253",
        "datePublished": "2026-07-14T19:20:57.257Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:49.301Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48252 (GCVE-0-2026-48252)

    Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)
    Summary
    Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function (CWE-306)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48252",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:21:38.209292Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T13:21:45.094Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 8.6,
                "environmentalSeverity": "HIGH",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "NONE",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 8.6,
                "temporalSeverity": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function (CWE-306)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:47.824Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48252",
        "datePublished": "2026-07-14T19:20:55.762Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:47.824Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48310 (GCVE-0-2026-48310)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
    Summary
    Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 8.6,
                "environmentalSeverity": "HIGH",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "NONE",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "NONE",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 8.6,
                "temporalSeverity": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:47.460Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48310",
        "datePublished": "2026-07-14T19:21:02.330Z",
        "dateReserved": "2026-05-21T15:28:38.136Z",
        "dateUpdated": "2026-07-15T19:38:47.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48259 (GCVE-0-2026-48259)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)
    Summary
    Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF) (CWE-918)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:00:17.582695Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:31:09.605Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 9.6,
                "environmentalSeverity": "CRITICAL",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 9.6,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery (SSRF) (CWE-918)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:48.192Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48259",
        "datePublished": "2026-07-14T19:21:01.631Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:48.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48359 (GCVE-0-2026-48359)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
    Summary
    Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48359",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:00:16.843850Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:31:23.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 9.6,
                "environmentalSeverity": "CRITICAL",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 9.6,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:48.564Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48359",
        "datePublished": "2026-07-14T19:21:00.902Z",
        "dateReserved": "2026-05-21T15:28:38.140Z",
        "dateUpdated": "2026-07-15T19:38:48.564Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48263 (GCVE-0-2026-48263)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48263",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:37:41.203594Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:37:53.715Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:45.696Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48263",
        "datePublished": "2026-07-14T19:21:00.097Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:45.696Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48260 (GCVE-0-2026-48260)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48260",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:21:00.346707Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T13:21:11.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:47.109Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48260",
        "datePublished": "2026-07-14T19:20:59.376Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:47.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48355 (GCVE-0-2026-48355)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48355",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:35:14.413173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:35:28.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:49.677Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48355",
        "datePublished": "2026-07-14T19:20:58.668Z",
        "dateReserved": "2026-05-21T15:28:38.140Z",
        "dateUpdated": "2026-07-15T19:38:49.677Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48261 (GCVE-0-2026-48261)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48261",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:53:40.627102Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T15:12:26.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:50.038Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48261",
        "datePublished": "2026-07-14T19:20:57.976Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:50.038Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48253 (GCVE-0-2026-48253)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48253",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:54:04.102395Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T15:12:31.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:49.301Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48253",
        "datePublished": "2026-07-14T19:20:57.257Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:49.301Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48262 (GCVE-0-2026-48262)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:06:44.676085Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:06:54.220Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:46.411Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48262",
        "datePublished": "2026-07-14T19:20:56.503Z",
        "dateReserved": "2026-05-21T15:28:38.131Z",
        "dateUpdated": "2026-07-15T19:38:46.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48252 (GCVE-0-2026-48252)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)
    Summary
    Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function (CWE-306)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48252",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:21:38.209292Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T13:21:45.094Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 8.6,
                "environmentalSeverity": "HIGH",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "NONE",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 8.6,
                "temporalSeverity": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function (CWE-306)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:47.824Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48252",
        "datePublished": "2026-07-14T19:20:55.762Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:47.824Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48255 (GCVE-0-2026-48255)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48255",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:40:17.336449Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:40:39.788Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:48.918Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48255",
        "datePublished": "2026-07-14T19:20:55.054Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:48.918Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48257 (GCVE-0-2026-48257)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:46.060Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48257",
        "datePublished": "2026-07-14T19:20:54.339Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:46.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48254 (GCVE-0-2026-48254)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
    VLAI
    Title
    Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
    Summary
    Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adobe Adobe Experience Manager as a Cloud Service Affected: 0 , ≤ 2026.5.0 (custom)
    Unaffected: 2026.6.0 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 LTS Affected: 0 , ≤ SP2 (custom)
    Unaffected: SP2 - Hotfix for NPR-43972 (custom)
    Create a notification for this product.
    Adobe Adobe Experience Manager 6.5 Affected: 0 , ≤ 6.5.25 (custom)
    Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom)
    Create a notification for this product.
    Date Public
    2026-07-14 17:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:06:24.971766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:06:32.466Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager as a Cloud Service",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "2026.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2026.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5 LTS",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "SP2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SP2 - Hotfix for NPR-43972",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Adobe Experience Manager 6.5",
              "vendor": "Adobe",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.5.25 - Hotfix for NPR-43971",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-07-14T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 5.4,
                "environmentalSeverity": "MEDIUM",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "LOW",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "LOW",
                "modifiedIntegrityImpact": "LOW",
                "modifiedPrivilegesRequired": "LOW",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "REQUIRED",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T19:38:46.763Z",
            "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
            "shortName": "adobe"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "assignerShortName": "adobe",
        "cveId": "CVE-2026-48254",
        "datePublished": "2026-07-14T19:20:53.631Z",
        "dateReserved": "2026-05-21T15:28:38.130Z",
        "dateUpdated": "2026-07-15T19:38:46.763Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }