情報 ID
最終更新日 :
2026年3月25日
Adobe Experience Manager に関するセキュリティアップデート公開 | APSB26-24
|
|
公開日 |
優先度 |
|---|---|---|
|
APSB26-24 |
2026年3月10日 |
3 |
要約
Adobe Experience Manager (AEM)を対象としたアップデートが公開されました。 このアップデートは、重要と評価されたな脆弱性を解決します。 これらの脆弱性が不正に利用されると、任意のコードが実行される可能性があります。
本アップデートによって修正される脆弱性が、広く悪用されているという事例は確認されていません。
対象の製品バージョン
| 製品名 | バージョン | プラットフォーム |
|---|---|---|
| Adobe Experience Manager(AEM) |
AEM Cloud Service(CS) |
すべて |
6.5 LTS SP1 以前 6.5.SP23 以前 |
すべて |
解決策
アドビは、これらのアップデートを次の優先度評価に分類しており、対象製品をご利用のお客様に最新バージョンへのアップグレードを推奨します。
注意:
Adobe Experience Manager の Cloud Service をご利用のお客様には、新機能のほか、セキュリティや機能性のバグ修正を含むアップデートが自動的に配信されます。
注意:
Experience Manager Security Considerations:
AEM as a Cloud Service Security Considerations
Anonymous Permission Hardening Package
注意:
AEM バージョン 6.4、6.3 および 6.2 のサポートについては、アドビカスタマケアにお問い合わせください。
脆弱性に関する詳細
| Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVSS vector |
CVE Number |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27223 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27224 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27225 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27227 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27228 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27229 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27230 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27231 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27232 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27233 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27234 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27235 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27236 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27237 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27239 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27240 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27241 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27242 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27244 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27247 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27248 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27249 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27250 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27251 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27252 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27253 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27254 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27255 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27256 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27257 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27262 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27265 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-27266 |
注意:
If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- green-jam: CVE-2026-27223, CVE-2026-27224, CVE-2026-27225, CVE-2026-27227, CVE-2026-27228, CVE-2026-27229, CVE-2026-27230, CVE-2026-27231, CVE-2026-27232, CVE-2026-27233, CVE-2026-27234, CVE-2026-27235, CVE-2026-27236, CVE-2026-27237, CVE-2026-27239, CVE-2026-27240, CVE-2026-27241, CVE-2026-27242, CVE-2026-27244, CVE-2026-27247, CVE-2026-27248, CVE-2026-27249, CVE-2026-27250, CVE-2026-27251, CVE-2026-27252, CVE-2026-27253, CVE-2026-27254, CVE-2026-27255, CVE-2026-27256, CVE-2026-27257, CVE-2026-27265, CVE-2026-27266
- anonymous_blackzero: CVE-2026-27262
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe
Revisions
December 18, 2025: Added CVE-2025-64538
December 10, 2025: Removed CVE-2025-64540
December 24, 2025: Added note - "AEM 6.5 and LTS versions are not impacted by the following CVEs: CVE-2025-64537, CVE-2025-64538, CVE-2025-64539."
詳しくは、https://helpx.adobe.com/jp/security.htmlを参照するか、PSIRT@adobe.com 宛てに電子メールでお問い合わせください。
