{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34623", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-03-30T17:30:36.490Z", "datePublished": "2026-04-14T18:26:00.180Z", "dateUpdated": "2026-04-14T18:59:02.939Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Adobe Experience Manager", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "FP11.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "LOW", "modifiedScope": "CHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "CHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T18:26:00.180Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T18:58:47.801969Z", "id": "CVE-2026-34623", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:59:02.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34623", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T18:58:47.801969Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:58:51.729Z"}}], "cna": {"title": "Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "modifiedScope": "CHANGED", "temporalScore": 5.4, "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "NONE", "environmentalScore": 5.4, "privilegesRequired": "LOW", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "LOW", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "LOW", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "LOW", "modifiedConfidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Adobe Experience Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "FP11.7"}], "defaultStatus": "affected"}], "datePublic": "2026-04-14T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site Scripting (DOM-based XSS) (CWE-79)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T18:26:00.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34623", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:59:02.939Z", "dateReserved": "2026-03-30T17:30:36.490Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-04-14T18:26:00.180Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "matchCriteriaId": "5898EACB-FA50-4AED-9248-9D4FBFD558D9", "versionEndIncluding": "6.5.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:experience_manager_screens:*:*:*:*:-:*:*:*", "matchCriteriaId": "CE7B652E-C71C-42E0-950D-59CABCE683CE", "versionEndExcluding": "6.5.11.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page."}], "id": "CVE-2026-34623", "lastModified": "2026-04-15T19:41:53.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-04-14T19:16:37.903", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,FP11.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Adobe Experience Manager", "source": "cna", "vendor": "Adobe"}, "product": "adobe_experience_manager", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T21:16:12.147065+00:00", "value": {"mitigation_remediation": ["Verify the Adobe Experience Manager version on each deployed instance and confirm whether it matches the affected releases.", "Consult the Adobe security advisory linked in the references for the official patch or upgrade instructions.", "Apply the vendor\u2011provided patch or upgrade to a non\u2011affected version as soon as possible.", "As a temporary measure, restrict or disable features that load untrusted content and monitor browser consoles for unexpected JavaScript.", "Keep monitoring Adobe security advisories for further updates."], "summary": {"action": "Apply patch", "impact": "DOM-based Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Adobe Experience Manager versions 6.5.24, FP11.7 and all earlier releases are affected. The product is Adobe Experience Manager provided by Adobe.", "description_and_impact": "This vulnerability allows the execution of arbitrary JavaScript within the victim\u2019s browser by manipulating the DOM environment. The attacker can only succeed if the user visits a specially crafted web page, after which the malicious script runs with the user\u2019s browser privileges, enabling actions such as data theft or session hijacking.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires user interaction in the browser, so the attack vector is client\u2011side. While no exploit information is present in the provided data, the requirement of user interaction limits the ease of attack but still poses a risk to users who may unintentionally visit malicious content."}}}}, "created": "2026-04-15T14:31:56.906807+00:00", "updated": "2026-04-15T14:41:09.775486+00:00", "vendors": ["adobe", "adobe$PRODUCT$adobe_experience_manager"]}