ID bollettino
Ultimo aggiornamento il
15 giu 2026
Aggiornamenti di sicurezza disponibili per Adobe Experience Manager | APSB26-56
|
|
Data di pubblicazione |
Priorità |
|---|---|---|
|
APSB26-56 |
9 giugno 2026 |
3 |
Riepilogo
Adobe ha rilasciato aggiornamenti per Adobe Experience Manager (AEM). Questo aggiornamento risolve vulnerabilità classificate come importanti e moderate. Lo sfruttamento efficace di queste vulnerabilità potrebbe causare l’esecuzione di codice arbitrario e l’aggiramento delle funzioni di sicurezza.
Adobe non è a conoscenza di sfruttamenti delle vulnerabilità oggetto di questi aggiornamenti.
Versioni del prodotto interessate
| Prodotto | Versione | Piattaforma |
|---|---|---|
| Adobe Experience Manager (AEM) |
Cloud Service AEM (CS) |
Tutti |
6.5 LTS SP1 e versioni precedenti SP24 e versioni precedenti |
Tutte |
Soluzione
Adobe classifica questi aggiornamenti in base ai seguenti livelli di priorità e consiglia agli utenti interessati di aggiornare la propria installazione alla versione più recente:
Prodotto |
Versione |
Piattaforma |
Priorità |
Disponibilità |
|---|---|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) Release 2026.05 | Tutte | 3 | Note sulla versione |
| Adobe Experience Manager (AEM) | 6.5 LTS Service Pack 2 | Tutte | 3 | Note sulla versione |
| Adobe Experience Manager (AEM) | 6.5 Service Pack 25 | Tutte | 3 | Note sulla versione |
Nota
I clienti in esecuzione sul Cloud Service di Adobe Experience Manager riceveranno automaticamente aggiornamenti che includono nuove funzioni, nonché correzioni di bug di sicurezza e funzionalità.
Nota
Experience Manager Security Considerations:
AEM as a Cloud Service Security Considerations
Anonymous Permission Hardening Package
Nota
Per ricevere assistenza sulle versioni di AEM 6.4, 6.3 e 6.2, gli utenti possono contattare l’Assistenza clienti Adobe.
Dettagli della vulnerabilità
| Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVSS vector |
CVE Number |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47935 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47936 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47939 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47941 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47942 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47943 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47944 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47945 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47946 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47947 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47948 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47949 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47950 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47951 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47953 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47954 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47956 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47957 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47958 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47962 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47966 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47970 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47972 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47973 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47974 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47975 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47977 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47978 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47980 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47981 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47982 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47983 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47985 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47986 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47987 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47989 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47990 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47993 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-34692 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48250 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48251 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48256 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48258 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48264 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48265 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48266 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48268 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48271 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48280 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48297 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48299 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48300 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48301 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48304 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVE-2026-47991 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2026-48288 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2026-48289 |
Nota
If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- green-jam: CVE-2026-47936, CVE-2026-47941, CVE-2026-47943, CVE-2026-47944, CVE-2026-47945, CVE-2026-47946, CVE-2026-47947, CVE-2026-47948, CVE-2026-47949, CVE-2026-47950, CVE-2026-47951, CVE-2026-47953, CVE-2026-47954, CVE-2026-47956, CVE-2026-47957, CVE-2026-47958, CVE-2026-47962, CVE-2026-47966, CVE-2026-47970, CVE-2026-47972, CVE-2026-47981, CVE-2026-47982, CVE-2026-47983, CVE-2026-47985, CVE-2026-47986, CVE-2026-47987, CVE-2026-47989, CVE-2026-47993, CVE-2026-34692, CVE-2026-48250, CVE-2026-48251, CVE-2026-48256, CVE-2026-48258, CVE-2026-48264, CVE-2026-48265, CVE-2026-48266, CVE-2026-48268, CVE-2026-48271, CVE-2026-48280, CVE-2026-48297
- anonymous_blackzero: CVE-2026-47939, CVE-2026-47973, CVE-2026-47974, CVE-2026-47975, CVE-2026-47977, CVE-2026-47978, CVE-2026-47980, CVE-2026-48288, CVE-2026-48289, CVE-2026-48299, CVE-2026-48300, CVE-2026-48301, CVE-2026-48304
- lpi: CVE-2026-47935, CVE-2026-47942
- Marco Ventura, Claudia Bartolini and Massimiliano Brolli of TIM Security Red Team Research - TIM S.p.A: CVE-2026-47990
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe
Revisions
December 18, 2025: Added CVE-2025-64538
December 10, 2025: Removed CVE-2025-64540
December 24, 2025: Added note - "AEM 6.5 and LTS versions are not impacted by the following CVEs: CVE-2025-64537, CVE-2025-64538, CVE-2025-64539."
Per ulteriori informazioni, visitare il sito https://helpx.adobe.com/it/security.html o inviare un’e-mail a PSIRT@adobe.com.
