ID del boletín
Última actualización el
15 jun 2026
Actualizaciones de seguridad disponibles para Adobe Experience Manager | APSB26-56
|
|
Fecha de publicación |
Prioridad |
|---|---|---|
|
APSB26-56 |
9 de junio de 2026 |
3 |
Resumen
Adobe ha publicado actualizaciones para Adobe Experience Manager (AEM). Esta actualización resuelve vulnerabilidades clasificadas como importantes y moderadas. El aprovechamiento de estas vulnerabilidades podría dar lugar a la ejecución arbitraria de código y la omisión de la función de seguridad.
Adobe no tiene constancia de que existan exploits en circulación para los problemas que se tratan en estas actualizaciones.
Versión afectada del producto
| Producto | Versión | Plataforma |
|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
Todo |
6.5 LTS SP1 y versiones anteriores SP24 y versiones anteriores |
Todas |
Solución
Adobe categoriza estas actualizaciones de acuerdo con los siguientes niveles de prioridad y recomienda que los usuarios actualicen los programas a las versiones más recientes:
Producto |
Versión |
Plataforma |
Prioridad |
Disponibilidad |
|---|---|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) versión 2026.05 | Todos | 3 | Notas de la versión |
| Adobe Experience Manager (AEM) | 6.5 LTS Service Pack 2 | Todas | 3 | Notas de la versión |
| Adobe Experience Manager (AEM) | 6.5 Service Pack 25 | Todos | 3 | Notas de la versión |
Nota
Los clientes que ejecuten en Cloud Service de Adobe Experience Manager recibirán actualizaciones automáticamente con nuevas funciones, así como correcciones de errores de seguridad y funcionalidad.
Nota
Experience Manager Security Considerations:
AEM as a Cloud Service Security Considerations
Anonymous Permission Hardening Package
Nota
Póngase en contacto con el servicio de atención al cliente de Adobe para obtener ayuda relacionada con AEM 6.4, 6.3 y 6.2.
Detalles sobre la vulnerabilidad
| Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVSS vector |
CVE Number |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47935 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47936 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47939 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47941 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47942 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47943 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47944 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47945 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47946 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47947 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47948 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47949 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47950 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47951 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47953 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47954 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47956 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47957 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47958 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47962 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47966 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47970 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47972 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47973 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47974 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47975 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47977 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47978 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47980 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47981 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47982 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47983 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47985 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47986 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47987 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47989 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47990 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-47993 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-34692 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48250 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48251 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48256 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48258 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48264 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48265 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48266 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48268 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48271 |
| Cross-site Scripting (DOM-based XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48280 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48297 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48299 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48300 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48301 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-48304 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVE-2026-47991 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2026-48288 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2026-48289 |
Nota
If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- green-jam: CVE-2026-47936, CVE-2026-47941, CVE-2026-47943, CVE-2026-47944, CVE-2026-47945, CVE-2026-47946, CVE-2026-47947, CVE-2026-47948, CVE-2026-47949, CVE-2026-47950, CVE-2026-47951, CVE-2026-47953, CVE-2026-47954, CVE-2026-47956, CVE-2026-47957, CVE-2026-47958, CVE-2026-47962, CVE-2026-47966, CVE-2026-47970, CVE-2026-47972, CVE-2026-47981, CVE-2026-47982, CVE-2026-47983, CVE-2026-47985, CVE-2026-47986, CVE-2026-47987, CVE-2026-47989, CVE-2026-47993, CVE-2026-34692, CVE-2026-48250, CVE-2026-48251, CVE-2026-48256, CVE-2026-48258, CVE-2026-48264, CVE-2026-48265, CVE-2026-48266, CVE-2026-48268, CVE-2026-48271, CVE-2026-48280, CVE-2026-48297
- anonymous_blackzero: CVE-2026-47939, CVE-2026-47973, CVE-2026-47974, CVE-2026-47975, CVE-2026-47977, CVE-2026-47978, CVE-2026-47980, CVE-2026-48288, CVE-2026-48289, CVE-2026-48299, CVE-2026-48300, CVE-2026-48301, CVE-2026-48304
- lpi: CVE-2026-47935, CVE-2026-47942
- Marco Ventura, Claudia Bartolini and Massimiliano Brolli of TIM Security Red Team Research - TIM S.p.A: CVE-2026-47990
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe
Revisions
December 18, 2025: Added CVE-2025-64538
December 10, 2025: Removed CVE-2025-64540
December 24, 2025: Added note - "AEM 6.5 and LTS versions are not impacted by the following CVEs: CVE-2025-64537, CVE-2025-64538, CVE-2025-64539."
Para obtener más información, visite https://helpx.adobe.com/es/security.html o envíe un correo electrónico a la dirección PSIRT@adobe.com.
