Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-48257 (GCVE-0-2026-48257)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:20 – Updated: 2026-07-16 14:41- CWE-79 - Cross-site Scripting (DOM-based XSS) (CWE-79)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/experie… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager as a Cloud Service |
Affected:
0 , ≤ 2026.5.0
(custom)
Unaffected: 2026.6.0 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 LTS |
Affected:
0 , ≤ SP2
(custom)
Unaffected: SP2 - Hotfix for NPR-43972 (custom) |
|
| Adobe | Adobe Experience Manager 6.5 |
Affected:
0 , ≤ 6.5.25
(custom)
Unaffected: 6.5.25 - Hotfix for NPR-43971 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T14:41:29.164794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T14:41:42.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (DOM-based XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T19:38:46.060Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-48257",
"datePublished": "2026-07-14T19:20:54.339Z",
"dateReserved": "2026-05-21T15:28:38.130Z",
"dateUpdated": "2026-07-16T14:41:42.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-48257",
"date": "2026-07-17",
"epss": "0.00271",
"percentile": "0.18886"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-48257\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2026-07-14T20:17:06.570\",\"lastModified\":\"2026-07-16T15:16:31.837\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.\"}],\"affected\":[{\"source\":\"psirt@adobe.com\",\"affectedData\":[{\"vendor\":\"Adobe\",\"product\":\"Adobe Experience Manager as a Cloud Service\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"2026.5.0\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"2026.6.0\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]},{\"vendor\":\"Adobe\",\"product\":\"Adobe Experience Manager 6.5 LTS\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"SP2\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"SP2 - Hotfix for NPR-43972\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]},{\"vendor\":\"Adobe\",\"product\":\"Adobe Experience Manager 6.5\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"6.5.25\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"6.5.25 - Hotfix for NPR-43971\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-16T14:41:29.164794Z\",\"id\":\"CVE-2026-48257\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html\",\"source\":\"psirt@adobe.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-48257\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-16T14:41:29.164794Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-16T14:41:36.251Z\"}}], \"cna\": {\"title\": \"Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"modifiedScope\": \"CHANGED\", \"temporalScore\": 5.4, \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"remediationLevel\": \"NOT_DEFINED\", \"reportConfidence\": \"NOT_DEFINED\", \"temporalSeverity\": \"MEDIUM\", \"availabilityImpact\": \"NONE\", \"environmentalScore\": 5.4, \"privilegesRequired\": \"LOW\", \"exploitCodeMaturity\": \"NOT_DEFINED\", \"integrityRequirement\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NETWORK\", \"confidentialityImpact\": \"LOW\", \"environmentalSeverity\": \"MEDIUM\", \"availabilityRequirement\": \"NOT_DEFINED\", \"modifiedIntegrityImpact\": \"LOW\", \"modifiedUserInteraction\": \"REQUIRED\", \"modifiedAttackComplexity\": \"LOW\", \"confidentialityRequirement\": \"NOT_DEFINED\", \"modifiedAvailabilityImpact\": \"NONE\", \"modifiedPrivilegesRequired\": \"LOW\", \"modifiedConfidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Adobe\", \"product\": \"Adobe Experience Manager as a Cloud Service\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2026.5.0\"}, {\"status\": \"unaffected\", \"version\": \"2026.6.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Adobe\", \"product\": \"Adobe Experience Manager 6.5 LTS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SP2\"}, {\"status\": \"unaffected\", \"version\": \"SP2 - Hotfix for NPR-43972\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Adobe\", \"product\": \"Adobe Experience Manager 6.5\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.5.25\"}, {\"status\": \"unaffected\", \"version\": \"6.5.25 - Hotfix for NPR-43971\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2026-07-14T17:00:00.000Z\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"Cross-site Scripting (DOM-based XSS) (CWE-79)\"}]}], \"providerMetadata\": {\"orgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"shortName\": \"adobe\", \"dateUpdated\": \"2026-07-15T19:38:46.060Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-48257\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-16T14:41:42.407Z\", \"dateReserved\": \"2026-05-21T15:28:38.130Z\", \"assignerOrgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"datePublished\": \"2026-07-14T19:20:54.339Z\", \"assignerShortName\": \"adobe\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-48257
Vulnerability from fkie_nvd - Published: 2026-07-14 20:17 - Updated: 2026-07-16 15:16| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager as a Cloud Service",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2026.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5 LTS",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "SP2 - Hotfix for NPR-43972",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager 6.5",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.25",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.5.25 - Hotfix for NPR-43971",
"versionType": "custom"
}
]
}
],
"source": "psirt@adobe.com"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed."
}
],
"id": "CVE-2026-48257",
"lastModified": "2026-07-16T15:16:31.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "psirt@adobe.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-48257",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T14:41:29.164794Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-07-14T20:17:06.570",
"references": [
{
"source": "psirt@adobe.com",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
}
GHSA-R7P2-8HWQ-4RJV
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
{
"affected": [],
"aliases": [
"CVE-2026-48257"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T20:17:06Z",
"severity": "MODERATE"
},
"details": "Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim\u0027s browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.",
"id": "GHSA-r7p2-8hwq-4rjv",
"modified": "2026-07-14T21:32:18Z",
"published": "2026-07-14T21:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48257"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
NCSC-2026-0246
Vulnerability from csaf_ncscnl - Published: 2026-07-17 14:21 - Updated: 2026-07-17 14:21Adobe Experience Manager contains a vulnerability due to missing authentication on a critical function, enabling attackers to bypass security controls and gain unauthorized write access without user interaction, with an altered scope.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a Server-Side Request Forgery (SSRF) vulnerability enabling low-privileged attackers to execute arbitrary code and perform unauthorized server-side requests without user interaction, potentially escalating access or control.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a stored Cross-Site Scripting (XSS) vulnerability that enables low-privileged attackers to inject malicious scripts into form fields, potentially executing harmful JavaScript in users' browsers.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a Path Traversal vulnerability enabling attackers to read arbitrary files outside intended directories without user interaction, thereby expanding the attack scope.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a stored Cross-Site Scripting (XSS) vulnerability that enables low-privileged attackers to inject malicious scripts into form fields, potentially executing harmful JavaScript in users' browsers.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a vulnerability involving improper restriction of XML External Entity references, enabling low-privileged attackers to execute arbitrary code, access sensitive files, and potentially escalate privileges without user interaction.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Multiple vulnerabilities affect Apache HTTP Server versions 2.4.0 to 2.4.66, including HTTP request smuggling and splitting via mod_proxy, mod_rewrite, and ProxyPassMatch configurations, alongside critical unauthenticated remote takeover flaws in Oracle products.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting (XSS) vulnerability enabling attackers to execute arbitrary code and hijack user sessions via malicious web pages.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting (XSS) vulnerability enabling attackers to execute arbitrary code and hijack user sessions via malicious web pages.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting (XSS) vulnerability enabling attackers to execute arbitrary code and hijack user sessions via malicious web pages.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Adobe / Adobe Experience Manager (AEM)
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager 6.5 LTS
|
vers:unknown/* | ||
|
vers:unknown/*
Adobe / Adobe Experience Manager as a Cloud Service
|
vers:unknown/* |
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Adobe heeft meerdere kwetsbaarheden verholpen in Adobe Experience Manager.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden in Adobe Experience Manager omvatten onder andere het ontbreken van authenticatie op een kritieke functie, waardoor onbevoegde schrijfacties mogelijk zijn zonder gebruikersinteractie. Daarnaast is er een Server-Side Request Forgery (SSRF) kwetsbaarheid die een aanvaller met lage privileges in staat stelt om willekeurige code op de server uit te voeren en toegang te verkrijgen tot accounts of sessies. Verder zijn er meerdere Cross-Site Scripting (XSS) kwetsbaarheden, zowel stored als DOM-based, die het mogelijk maken voor aanvallers om kwaadaardige JavaScript-code te injecteren en uit te voeren in de browsers van gebruikers, wat kan leiden tot het kapen van sessies en het uitvoeren van ongeautoriseerde acties. Ook is er een Path Traversal kwetsbaarheid die het mogelijk maakt om bestanden buiten de bedoelde directorystructuur te lezen zonder gebruikersinteractie. Daarnaast is er een XML External Entity (XXE) kwetsbaarheid die het uitvoeren van willekeurige code, toegang tot gevoelige bestanden en privilege-escalatie mogelijk maakt zonder gebruikersinteractie. Deze kwetsbaarheden be\u00efnvloeden de vertrouwelijkheid, integriteit en beschikbaarheid van systemen waarop Adobe Experience Manager draait.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Adobe heeft updates uitgebracht om de kwetsbaarheden in Adobe Experience Manager te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"title": "CWE-113"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "general",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"title": "Kwetsbaarheden verholpen in Adobe Experience Manager",
"tracking": {
"current_release_date": "2026-07-17T14:21:27.012815Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0246",
"initial_release_date": "2026-07-17T14:21:27.012815Z",
"revision_history": [
{
"date": "2026-07-17T14:21:27.012815Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Adobe Experience Manager (AEM)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Adobe Experience Manager 6.5"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Adobe Experience Manager 6.5 LTS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Adobe Experience Manager as a Cloud Service"
}
],
"category": "vendor",
"name": "Adobe"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-48252",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a vulnerability due to missing authentication on a critical function, enabling attackers to bypass security controls and gain unauthorized write access without user interaction, with an altered scope.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48252 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48252.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48252"
},
{
"cve": "CVE-2026-48259",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a Server-Side Request Forgery (SSRF) vulnerability enabling low-privileged attackers to execute arbitrary code and perform unauthorized server-side requests without user interaction, potentially escalating access or control.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48259 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48259.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48259"
},
{
"cve": "CVE-2026-48263",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a stored Cross-Site Scripting (XSS) vulnerability that enables low-privileged attackers to inject malicious scripts into form fields, potentially executing harmful JavaScript in users\u0027 browsers.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48263 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48263.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48263"
},
{
"cve": "CVE-2026-48310",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a Path Traversal vulnerability enabling attackers to read arbitrary files outside intended directories without user interaction, thereby expanding the attack scope.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48310 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48310.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48310"
},
{
"cve": "CVE-2026-48355",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a stored Cross-Site Scripting (XSS) vulnerability that enables low-privileged attackers to inject malicious scripts into form fields, potentially executing harmful JavaScript in users\u0027 browsers.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48355 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48355.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48355"
},
{
"cve": "CVE-2026-48359",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a vulnerability involving improper restriction of XML External Entity references, enabling low-privileged attackers to execute arbitrary code, access sensitive files, and potentially escalate privileges without user interaction.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48359 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48359.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48359"
},
{
"cve": "CVE-2026-48253",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48253 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48253.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48253"
},
{
"cve": "CVE-2026-48254",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48254 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48254.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48254"
},
{
"cve": "CVE-2026-48255",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48255 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48255.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48255"
},
{
"cve": "CVE-2026-48257",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48257 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48257.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48257"
},
{
"cve": "CVE-2026-48260",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48260 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48260.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48260"
},
{
"cve": "CVE-2026-48261",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48261 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48261.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48261"
},
{
"cve": "CVE-2026-48262",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager contains a DOM-based Cross-Site Scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript by manipulating the DOM when a victim visits a specially crafted webpage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-48262 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-48262.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-48262"
},
{
"cve": "CVE-2023-25690",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"title": "CWE-113"
},
{
"category": "other",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "description",
"text": "Multiple vulnerabilities affect Apache HTTP Server versions 2.4.0 to 2.4.66, including HTTP request smuggling and splitting via mod_proxy, mod_rewrite, and ProxyPassMatch configurations, alongside critical unauthenticated remote takeover flaws in Oracle products.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-25690 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2023/cve-2023-25690.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2023-25690"
},
{
"cve": "CVE-2025-64538",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting (XSS) vulnerability enabling attackers to execute arbitrary code and hijack user sessions via malicious web pages.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64538 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-64538.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-64538"
},
{
"cve": "CVE-2025-64537",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting (XSS) vulnerability enabling attackers to execute arbitrary code and hijack user sessions via malicious web pages.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64537 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-64537.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-64537"
},
{
"cve": "CVE-2025-64539",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting (XSS) vulnerability enabling attackers to execute arbitrary code and hijack user sessions via malicious web pages.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64539 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-64539.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-64539"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.