Lucene search
+L

Adobe Experience Manager 6.5.0 < 6.5.2 Multiple Vulnerabilities (APSB26-56)

🗓️ 14 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 6 Views

Adobe Experience Manager older than 6.5.2 has open redirect and XSS vulnerabilities.

Related
Refs
Code
ReporterTitlePublishedViews
Family
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
bdu_fstec
The vulnerability of the Adobe Experience Manager content and media data management system, related to the lack of measures taken to protect the website structure, allows a perpetrator to execute arbitrary code.
17 Jun 202600:00
bdu_fstec
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(326739);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/14");

  script_cve_id(
    "CVE-2026-34692",
    "CVE-2026-47935",
    "CVE-2026-47936",
    "CVE-2026-47939",
    "CVE-2026-47941",
    "CVE-2026-47942",
    "CVE-2026-47943",
    "CVE-2026-47944",
    "CVE-2026-47945",
    "CVE-2026-47946",
    "CVE-2026-47947",
    "CVE-2026-47948",
    "CVE-2026-47949",
    "CVE-2026-47950",
    "CVE-2026-47951",
    "CVE-2026-47953",
    "CVE-2026-47954",
    "CVE-2026-47956",
    "CVE-2026-47957",
    "CVE-2026-47958",
    "CVE-2026-47962",
    "CVE-2026-47966",
    "CVE-2026-47970",
    "CVE-2026-47972",
    "CVE-2026-47973",
    "CVE-2026-47974",
    "CVE-2026-47975",
    "CVE-2026-47977",
    "CVE-2026-47978",
    "CVE-2026-47980",
    "CVE-2026-47981",
    "CVE-2026-47982",
    "CVE-2026-47983",
    "CVE-2026-47985",
    "CVE-2026-47986",
    "CVE-2026-47987",
    "CVE-2026-47989",
    "CVE-2026-47990",
    "CVE-2026-47991",
    "CVE-2026-47993",
    "CVE-2026-48250",
    "CVE-2026-48251",
    "CVE-2026-48256",
    "CVE-2026-48258",
    "CVE-2026-48264",
    "CVE-2026-48265",
    "CVE-2026-48266",
    "CVE-2026-48268",
    "CVE-2026-48271",
    "CVE-2026-48280",
    "CVE-2026-48288",
    "CVE-2026-48289",
    "CVE-2026-48297",
    "CVE-2026-48299",
    "CVE-2026-48300",
    "CVE-2026-48301",
    "CVE-2026-48304"
  );

  script_name(english:"Adobe Experience Manager 6.5.0 < 6.5.2 Multiple Vulnerabilities (APSB26-56)");

  script_set_attribute(attribute:"synopsis", value:
"The Adobe Experience Manager instance installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Adobe Experience Manager installed on the remote host is prior to 6.5.2. It is, therefore, affected by
multiple vulnerabilities as referenced in the APSB26-56 advisory.

  - Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper
    Redirect (Open Redirect) vulnerability that could lead to account takeover. An attacker could construct a
    malicious URL that redirects a victim to an attacker-controlled site. Exploitation of this issue requires
    user interaction in that a victim must click on a malicious link. (CVE-2026-47991)

  - Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-
    Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM
    environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of
    this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
    (CVE-2026-34692, CVE-2026-47935, CVE-2026-47946, CVE-2026-47947, CVE-2026-47982, CVE-2026-47983,
    CVE-2026-47985, CVE-2026-47986, CVE-2026-47987, CVE-2026-47989, CVE-2026-47993, CVE-2026-48250,
    CVE-2026-48251, CVE-2026-48256, CVE-2026-48258, CVE-2026-48264, CVE-2026-48265, CVE-2026-48266,
    CVE-2026-48268, CVE-2026-48271, CVE-2026-48280)

  - Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site
    Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious
    scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they
    browse to the page containing the vulnerable field. Scope is changed. (CVE-2026-47936, CVE-2026-47939,
    CVE-2026-47941, CVE-2026-47942, CVE-2026-47943, CVE-2026-47944, CVE-2026-47945, CVE-2026-47948,
    CVE-2026-47949, CVE-2026-47950, CVE-2026-47951, CVE-2026-47953, CVE-2026-47954, CVE-2026-47956,
    CVE-2026-47957, CVE-2026-47958, CVE-2026-47962, CVE-2026-47966, CVE-2026-47970, CVE-2026-47972,
    CVE-2026-47973, CVE-2026-47974, CVE-2026-47975, CVE-2026-47977, CVE-2026-47978, CVE-2026-47980,
    CVE-2026-47981, CVE-2026-47990, CVE-2026-48297, CVE-2026-48299, CVE-2026-48300, CVE-2026-48301,
    CVE-2026-48304)

  - Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Input
    Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could
    leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation
    of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact
    with a compromised web page. (CVE-2026-48288, CVE-2026-48289)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://helpx.adobe.com/security/products/experience-manager/apsb26-56.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?45e6764e");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Experience Manager version 6.5.2 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-47991");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 79);

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:experience_manager");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("adobe_experience_manager_http_detect.nbin");
  script_require_keys("installed_sw/Adobe Experience Manager");

  exit(0);
}

include('vcf.inc');
include('http.inc');

var port = get_http_port(default:4502);
var app_info = vcf::get_app_info(app:'Adobe Experience Manager', port:port);

vcf::check_granularity(app_info:app_info, sig_segments:2);

var constraints = [
  { 'min_version' : '6.5.0', 'fixed_version' : '6.5.2', 'fixed_display' : '6.5.2 / 6.5.25' }
];
vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    require_paranoia:TRUE,
    severity:SECURITY_WARNING,
    flags:{'xss':TRUE}
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 Jul 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.15.4 - 6.1
EPSS0.0041
SSVC
6