CVE-2026-47935 Overview
CVE-2026-47935 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM). The flaw impacts AEM versions 6.5.24, LTS SP1, 2026.04, and earlier releases. An attacker can manipulate the Document Object Model (DOM) to execute malicious JavaScript within the victim's browser session. Exploitation requires the victim to visit a crafted webpage, and the scope is changed, meaning the impact extends beyond the vulnerable component. The issue is tracked under CWE-79 and documented in Adobe Security Bulletin APSB26-56.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the victim's browser, enabling session manipulation, content modification, and limited data theft within the AEM context.
Affected Products
- Adobe Experience Manager 6.5.24 and earlier
- Adobe Experience Manager LTS SP1
- Adobe Experience Manager 2026.04 and earlier (including AEM Cloud Service)
Discovery Timeline
- 2026-06-09 - CVE-2026-47935 published to the National Vulnerability Database
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-47935
Vulnerability Analysis
The vulnerability is a client-side DOM-based XSS issue in Adobe Experience Manager. Unlike reflected or stored XSS, DOM-based XSS occurs entirely within the browser when client-side JavaScript writes attacker-controlled data into a sensitive DOM sink without proper sanitization. The flaw is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.
The changed scope indicates the injected script can affect resources beyond the vulnerable component's security authority. Authenticated users with low privileges can craft inputs that trigger script execution when another user loads the affected page. The EPSS probability of 0.03% reflects no observed exploitation activity at this time.
Root Cause
The root cause is insufficient neutralization of user-controllable data before it reaches a DOM sink such as innerHTML, document.write, or eval. AEM client-side scripts process input from sources like location.hash, location.search, or postMessage data and render the values directly into the page. Without contextual output encoding, attacker-supplied payloads are interpreted as executable JavaScript by the browser.
Attack Vector
Exploitation requires user interaction. An attacker with low-privileged access crafts a URL or webpage containing a malicious DOM payload and convinces a victim, typically an authenticated AEM user, to visit it. When the page loads, the vulnerable client-side script processes the attacker-controlled input and executes JavaScript in the victim's browser context. The attacker can then perform actions on behalf of the victim, exfiltrate session tokens accessible to JavaScript, or pivot into the broader AEM administrative interface. No verified proof-of-concept is publicly available at this time. Refer to the Adobe Experience Manager Advisory for technical specifics.
Detection Methods for CVE-2026-47935
Indicators of Compromise
- Unexpected JavaScript execution in AEM author or publish instance browser sessions, particularly involving inline <script> tags or javascript: URIs in DOM fragments.
- HTTP request logs showing crafted URLs with encoded payloads in fragments (#), query parameters, or referrer headers targeting AEM endpoints.
- Outbound requests from user browsers to attacker-controlled domains carrying AEM session cookies or CSRF tokens.
Detection Strategies
- Inspect AEM access logs for URL patterns containing HTML entities, script tags, or event handlers such as onerror= and onload= in query strings or fragments.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script violations originating from AEM client-side code.
- Use static analysis tools such as ESLint security plugins or DOMPurify audits against custom AEM client libraries to locate dangerous DOM sinks.
Monitoring Recommendations
- Monitor browser-side error telemetry and CSP violation reports from production AEM environments for spikes correlating with new URL patterns.
- Alert on authenticated AEM sessions issuing unusual administrative API calls shortly after navigation to externally referenced pages.
- Correlate web proxy logs with AEM authentication events to identify users redirected to suspicious external sites prior to anomalous activity.
How to Mitigate CVE-2026-47935
Immediate Actions Required
- Apply the security updates referenced in Adobe Security Bulletin APSB26-56 to all on-premises AEM 6.5 and LTS instances.
- Confirm AEM as a Cloud Service tenants are running the patched 2026.04 release or later.
- Restrict access to AEM author instances to trusted networks and authenticated users only.
Patch Information
Adobe has released fixed versions addressing CVE-2026-47935. Administrators should consult Adobe Security Bulletin APSB26-56 for the exact patched build numbers corresponding to AEM 6.5.24, LTS SP1, and AEM 2026.04. Apply hotfixes through the standard AEM package manager and validate using the system console after deployment.
Workarounds
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins to limit DOM-based XSS impact.
- Place a web application firewall (WAF) in front of AEM to filter requests containing common XSS payload signatures in URL fragments and parameters.
- Educate authenticated AEM editors and administrators to avoid clicking unsolicited links that reference internal AEM URLs.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
