How is CVE-2026-34691 exploited?

Network reachability (required): The attacker must reach the AEM Forms JEE service over the network to submit a payload into a vulnerable form field. Authentication (not-required): No account or credentials are needed to inject the malicious script into a vulnerable form field. Victim interaction (required): A victim must browse to the page containing the injected field, making this a social-engineering or passive-wait attack against authenticated users. Attack complexity (info): The exploit is reliable and condition-free once the payload is stored; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-34691?

The attacker reads the victim's active session token, enabling full account takeover without needing the victim's password. Stored cookies, autofill credentials, and any data rendered on the page are exposed to the attacker's exfiltrated JavaScript output. The attacker can perform write actions on the victim's behalf, such as modifying form data, submitting transactions, or changing account settings, within the victim's privilege level. Because scope is changed, the injected script can reach and interact with other origins or browser storage beyond the AEM Forms application itself.

Back to search

CRITICALCVE-2026-34691Published 2026-06-09Modified 2026-06-09CNA adobe

CVE-2026-34691: Adobe Experience Manager Forms JEE | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in Adobe Experience Manager Forms JEE allows an unauthenticated network attacker to inject malicious JavaScript into vulnerable form fields. The injected script executes in a victim's browser when they visit the affected page, requiring no authentication to plant the payload but relying on a victim loading the page. Successful exploitation gives the attacker full read and write access to the victim's session, stored credentials, and account context. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream NVD and Adobe advisory feeds within minutes of publication and matched against all customer images, including custom-built AEM Forms JEE images in registries and CI pipelines.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 Critical and is capable of weighting that score against each customer organization's compliance policy to determine urgency tier and route the alert to the appropriate team inbox automatically.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch ships.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the AEM Forms JEE service over the network to submit a payload into a vulnerable form field.
AuthenticationNot required
No account or credentials are needed to inject the malicious script into a vulnerable form field.
Victim interactionRequired
A victim must browse to the page containing the injected field, making this a social-engineering or passive-wait attack against authenticated users.
Attack complexityDetail
The exploit is reliable and condition-free once the payload is stored; no race conditions or special environmental factors are required.

Blast Radius

The attacker reads the victim's active session token, enabling full account takeover without needing the victim's password.
Stored cookies, autofill credentials, and any data rendered on the page are exposed to the attacker's exfiltrated JavaScript output.
The attacker can perform write actions on the victim's behalf, such as modifying form data, submitting transactions, or changing account settings, within the victim's privilege level.
Because scope is changed, the injected script can reach and interact with other origins or browser storage beyond the AEM Forms application itself.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34691 is active across all customer environments scanning AEM Forms JEE images, matched on every registry push and scheduled pipeline scan. Because Adobe has not yet published a fix version, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment upstream ships. In the meantime, customers can apply compensating controls through HarborGuard network policies: isolate AEM Forms JEE nodes from untrusted ingress, restrict which origins can submit to form endpoints, and consider feature-flag gating for any publicly exposed form fields. For customers with auto-remediation enabled, the rebuild, regression test, and PR flow will activate without manual steps as soon as a fix version is available.

See how HarborGuard automates this

Affected packages

Adobe / Adobe Experience Manager Forms JEE
≤ 6.5.24.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References

helpx.adobe.com

Metrics

Get notified