Adobe Experience Manager, DOM‑based XSS, CVE‑2026‑47935 (MEDIUM) -DC-Jun2026-354

By /

Listen to this Post

CVE ID: CVE‑2026‑47935

How the Vulnerability Works

CVE‑2026‑47935 is a DOM‑based Cross‑Site Scripting (XSS) flaw affecting Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04, and earlier. Unlike reflected or stored XSS, DOM‑based XSS does not rely on server‑side sanitization. Instead, the malicious payload is executed entirely on the client side when a web application uses unsafe JavaScript to handle data from the DOM’s environment – for example, reading values from document.location, document.referrer, or window.name, and then writing them into an HTML element via methods like `innerHTML` or document.write().
In AEM, this vulnerability arises because certain client‑side scripts process attacker‑controlled input without proper sanitisation before inserting it into the DOM. An attacker can craft a malicious URL or a specially designed web page that, when visited by an authenticated AEM user, manipulates the DOM environment. The attacker’s JavaScript payload is then executed in the context of the victim’s browser, with the same privileges as the legitimate AEM application.
Because the attack requires user interaction – the victim must click on a crafted link or be tricked into visiting a malicious page – the CVSS score is MEDIUM (5.4). However, the impact is heightened by the fact that the scope is changed, meaning the XSS can affect resources beyond the vulnerable component. Once executed, the script could steal session tokens, perform actions on behalf of the victim, or deface the AEM interface.

The CVSS vector string summarises the risk:

`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`

  • Network attack vector, low complexity, low privileges required.
  • User interaction required (victim visits crafted webpage).
  • Scope changed (vulnerability can affect other components).
  • Low impact on confidentiality and integrity, none on availability.
    Adobe addressed this issue in the June 2026 security updates, releasing patched versions (AEM 6.5.25, 6.5 LTS SP2, and Cloud Service release 2026.05). Administrators are urged to upgrade immediately to prevent client‑side code injection.

DailyCVE Form

DailyCVE Form:
Platform: Adobe Experience Manager
Version: 6.5.24, LTS SP1, 2026.04
Vulnerability: DOM‑based XSS
Severity: Medium
date: 2026-06-09
Prediction: 2026-06-10 (expected patch)

What Undercode Say

Check current AEM version
curl -s -u admin:admin http://localhost:4502/system/console/status-productinfo.json | grep "Version"
Download and apply the official patch (Adobe Experience Manager 6.5 Service Pack 25)
wget https://help.adobe.com/security/products/aem/apsb26-34.html
unzip AEM-6.5-SP25.zip -d /path/to/aem/
systemctl restart aem
Verify the patch was applied
curl -s -u admin:admin http://localhost:4502/system/console/status-productinfo.json | grep "6.5.25"

Exploit

A proof‑of‑concept for the DOM‑based XSS leverages an unsanitised `window.location.hash` parameter:

// Malicious URL: http://victim-aem.com/page.html<img src=x onerror=alert('XSS')>
window.onload = function() {
var hash = document.location.hash.substring(1);
document.getElementById("untrusted").innerHTML = hash;
};

If AEM’s script injects the hash directly into the DOM, the attacker’s payload executes when the page loads.

Protection

  1. Apply the vendor patch – Upgrade to AEM 6.5.25 (or SP2 for LTS, or Cloud Service release 2026.05).
  2. Implement a Content Security Policy (CSP) – Restrict `script-src` to trusted origins and disallow unsafe-inline.
  3. Use safe DOM APIs – Replace `innerHTML` with `textContent` or sanitise untrusted input with DOMPurify.

Impact

  • Confidentiality & Integrity (Low): An attacker can read or modify data within the AEM application.
  • User Interaction Required: The victim must click a crafted link, reducing mass exploitation risk.
  • Scope Changed: The XSS can influence other components in the AEM ecosystem.
  • No Availability Impact: The vulnerability does not affect system uptime.
  • No Public Exploitation: Adobe reported no known in‑the‑wild exploits at patch release.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top