CVE-2026-47987 | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 a… | CVSS 5.4 MEDIUM

Description

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.

Metadata

CVE ID: CVE-2026-47987
State: PUBLISHED
Assigner: adobe
Reserved: 2026-05-20 15:50 UTC
Published: 2026-06-09 16:48 UTC
Last updated: 2026-06-09 20:18 UTC
Primary CWE: CWE-79
Cross-site Scripting (DOM-based XSS) (CWE-79)
Vendor / Product: Adobe / Adobe Experience Manager
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Adobe	Adobe Experience Manager	—	0 ≤ 2026.04

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Cross-site Scripting (DOM-based XSS) (CWE-79)

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (1)

https://helpx.adobe.com/security/products/experience-manager/apsb26-56.html