Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB26-56

Bulletin ID	Date Published	Priority
APSB26-56	June 9, 2026	3

Summary

Adobe has released updates for Adobe Experience Manager (AEM). This update resolves vulnerabilities rated important and moderate. Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.

Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

Affected product versions

Product	Version	Platform
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	All
6.5 LTS SP1 and earlier SP24 and earlier	All

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5 LTS SP1 and earlier

SP24 and earlier

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Experience Manager (AEM)	AEM Cloud Service (CS) Release 2026.05	All	3	Release Notes
Adobe Experience Manager (AEM)	6.5 LTS Service Pack 2	All	3	Release Notes
Adobe Experience Manager (AEM)	6.5 Service Pack 25	All	3	Release Notes

Note

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Note

Experience Manager Security Considerations:

AEM as a Cloud Service Security Considerations
Anonymous Permission Hardening Package

Note

Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47935
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47936
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47939
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47941
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47942
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47943
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47944
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47945
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47946
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47947
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47948
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47949
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47950
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47951
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47953
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47954
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47956
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47957
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47958
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47962
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47966
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47970
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47972
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47973
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47974
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47975
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47977
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47978
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47980
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47981
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47982
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47983
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47985
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47986
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47987
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47989
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47990
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-47993
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-34692
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48250
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48251
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48256
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48258
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48264
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48265
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48266
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48268
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48271
Cross-site Scripting (DOM-based XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48280
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48297
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48299
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48300
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48301
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2026-48304
Improper Input Validation (CWE-20)	Security feature bypass	Moderate	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	CVE-2026-47991
Improper Input Validation (CWE-20)	Security feature bypass	Moderate	3.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N	CVE-2026-48288
Improper Input Validation (CWE-20)	Security feature bypass	Moderate	3.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N	CVE-2026-48289

Note

If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html

Acknowledgments

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:

green-jam: CVE-2026-47936, CVE-2026-47941, CVE-2026-47943, CVE-2026-47944, CVE-2026-47945, CVE-2026-47946, CVE-2026-47947, CVE-2026-47948, CVE-2026-47949, CVE-2026-47950, CVE-2026-47951, CVE-2026-47953, CVE-2026-47954, CVE-2026-47956, CVE-2026-47957, CVE-2026-47958, CVE-2026-47962, CVE-2026-47966, CVE-2026-47970, CVE-2026-47972, CVE-2026-47981, CVE-2026-47982, CVE-2026-47983, CVE-2026-47985, CVE-2026-47986, CVE-2026-47987, CVE-2026-47989, CVE-2026-47993, CVE-2026-34692, CVE-2026-48250, CVE-2026-48251, CVE-2026-48256, CVE-2026-48258, CVE-2026-48264, CVE-2026-48265, CVE-2026-48266, CVE-2026-48268, CVE-2026-48271, CVE-2026-48280, CVE-2026-48297
anonymous_blackzero: CVE-2026-47939, CVE-2026-47973, CVE-2026-47974, CVE-2026-47975, CVE-2026-47977, CVE-2026-47978, CVE-2026-47980, CVE-2026-48288, CVE-2026-48289, CVE-2026-48299, CVE-2026-48300, CVE-2026-48301, CVE-2026-48304
lpi: CVE-2026-47935, CVE-2026-47942
Marco Ventura, Claudia Bartolini and Massimiliano Brolli of TIM Security Red Team Research - TIM S.p.A: CVE-2026-47990

NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe

Revisions

December 18, 2025: Added CVE-2025-64538

December 10, 2025: Removed CVE-2025-64540

December 24, 2025: Added note - "AEM 6.5 and LTS versions are not impacted by the following CVEs: CVE-2025-64537, CVE-2025-64538, CVE-2025-64539."

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe Security Bulletin

Summary

Affected product versions

Solution

Vulnerability Details

Acknowledgments

Revisions

Get help faster and easier

Share this page

Share this page

Ask the Community

Contact Us