Search
Find a vulnerability
Search criteria
26 vulnerabilities found for Adobe Experience Manager 6.5 LTS by Adobe
CVE-2026-48359 (GCVE-0-2026-48359)
Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
Summary
Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T04:00:16.843850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T10:31:23.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 9.6,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 9.6,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:48.564Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48359",
"datePublished": "2026-07-14T19:21:00.902Z",
"dateReserved": "2026-05-21T15:28:38.140Z",
"dateUpdated": "2026-07-15T19:38:48.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48355 (GCVE-0-2026-48355)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:35:14.413173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:35:28.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:49.677Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48355",
"datePublished": "2026-07-14T19:20:58.668Z",
"dateReserved": "2026-05-21T15:28:38.140Z",
"dateUpdated": "2026-07-15T19:38:49.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48310 (GCVE-0-2026-48310)
Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary
Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
8.6 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.6,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.6,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:47.460Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48310",
"datePublished": "2026-07-14T19:21:02.330Z",
"dateReserved": "2026-05-21T15:28:38.136Z",
"dateUpdated": "2026-07-15T19:38:47.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48263 (GCVE-0-2026-48263)
Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T17:37:41.203594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T17:37:53.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:45.696Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48263",
"datePublished": "2026-07-14T19:21:00.097Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:45.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48262 (GCVE-0-2026-48262)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:06:44.676085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:06:54.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:46.411Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48262",
"datePublished": "2026-07-14T19:20:56.503Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:46.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48261 (GCVE-0-2026-48261)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:53:40.627102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T15:12:26.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:50.038Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48261",
"datePublished": "2026-07-14T19:20:57.976Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:50.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48260 (GCVE-0-2026-48260)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:21:00.346707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:21:11.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:47.109Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48260",
"datePublished": "2026-07-14T19:20:59.376Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:47.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48259 (GCVE-0-2026-48259)
Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)
Summary
Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF) (CWE-918)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T04:00:17.582695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T10:31:09.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 9.6,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 9.6,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF) (CWE-918)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:48.192Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48259",
"datePublished": "2026-07-14T19:21:01.631Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:48.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48257 (GCVE-0-2026-48257)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:46.060Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48257",
"datePublished": "2026-07-14T19:20:54.339Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:46.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48255 (GCVE-0-2026-48255)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T17:40:17.336449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T17:40:39.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:48.918Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48255",
"datePublished": "2026-07-14T19:20:55.054Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:48.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48254 (GCVE-0-2026-48254)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:06:24.971766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:06:32.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:46.763Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48254",
"datePublished": "2026-07-14T19:20:53.631Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:46.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48253 (GCVE-0-2026-48253)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:54:04.102395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T15:12:31.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:49.301Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48253",
"datePublished": "2026-07-14T19:20:57.257Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:49.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48252 (GCVE-0-2026-48252)
Vulnerability from nvd – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)
Summary
Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function (CWE-306)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:21:38.209292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:21:45.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.6,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "NONE",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.6,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication for Critical Function (CWE-306)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:47.824Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48252",
"datePublished": "2026-07-14T19:20:55.762Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:47.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48310 (GCVE-0-2026-48310)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary
Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
8.6 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by an Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.6,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.6,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:47.460Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48310",
"datePublished": "2026-07-14T19:21:02.330Z",
"dateReserved": "2026-05-21T15:28:38.136Z",
"dateUpdated": "2026-07-15T19:38:47.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48259 (GCVE-0-2026-48259)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)
Summary
Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF) (CWE-918)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T04:00:17.582695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T10:31:09.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could leverage this vulnerability to issue unauthorized server-side requests, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 9.6,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 9.6,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF) (CWE-918)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:48.192Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48259",
"datePublished": "2026-07-14T19:21:01.631Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:48.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48359 (GCVE-0-2026-48359)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
Summary
Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T04:00:16.843850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T10:31:23.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 9.6,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 9.6,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:48.564Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48359",
"datePublished": "2026-07-14T19:21:00.902Z",
"dateReserved": "2026-05-21T15:28:38.140Z",
"dateUpdated": "2026-07-15T19:38:48.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48263 (GCVE-0-2026-48263)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T17:37:41.203594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T17:37:53.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:45.696Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48263",
"datePublished": "2026-07-14T19:21:00.097Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:45.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48260 (GCVE-0-2026-48260)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:21:00.346707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:21:11.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:47.109Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48260",
"datePublished": "2026-07-14T19:20:59.376Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:47.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48355 (GCVE-0-2026-48355)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:35:14.413173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:35:28.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u0027s browser when they browse to the page containing the vulnerable field. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:49.677Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48355",
"datePublished": "2026-07-14T19:20:58.668Z",
"dateReserved": "2026-05-21T15:28:38.140Z",
"dateUpdated": "2026-07-15T19:38:49.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48261 (GCVE-0-2026-48261)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:53:40.627102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T15:12:26.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:50.038Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48261",
"datePublished": "2026-07-14T19:20:57.976Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:50.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48253 (GCVE-0-2026-48253)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:54:04.102395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T15:12:31.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:49.301Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48253",
"datePublished": "2026-07-14T19:20:57.257Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:49.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48262 (GCVE-0-2026-48262)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:06:44.676085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:06:54.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:46.411Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48262",
"datePublished": "2026-07-14T19:20:56.503Z",
"dateReserved": "2026-05-21T15:28:38.131Z",
"dateUpdated": "2026-07-15T19:38:46.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48252 (GCVE-0-2026-48252)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)
Summary
Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function (CWE-306)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:21:38.209292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:21:45.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.6,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "NONE",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.6,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication for Critical Function (CWE-306)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:47.824Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Missing Authentication for Critical Function (CWE-306)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48252",
"datePublished": "2026-07-14T19:20:55.762Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:47.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48255 (GCVE-0-2026-48255)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T17:40:17.336449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T17:40:39.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:48.918Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48255",
"datePublished": "2026-07-14T19:20:55.054Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:48.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48257 (GCVE-0-2026-48257)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:46.060Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48257",
"datePublished": "2026-07-14T19:20:54.339Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:46.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48254 (GCVE-0-2026-48254)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-15 19:38
VLAI
EPSS
VEX
Title
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
Summary
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
Date Public
2026-07-14 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:06:24.971766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:06:32.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:46.763Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48254",
"datePublished": "2026-07-14T19:20:53.631Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-15T19:38:46.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}