HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-34693Published Modified CNA adobe

CVE-2026-34693: Adobe Experience Manager Forms JEE | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Reflected Cross-Site Scripting (XSS) in Adobe Experience Manager Forms JEE allows a network-based attacker with no authentication to inject malicious scripts into a victim's browser session. The attacker must trick a victim into visiting a crafted URL, and exploitation depends on conditions outside the attacker's direct control (reflected XSS across a changed scope boundary). Successful exploitation grants the attacker high-level read and write access to the victim's session and account data. HarborGuard is tracking this advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-34693 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle AEM Forms JEE components. Any image carrying an affected version (up to and including 6.5.24.0) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

Triage capability is available with the full CVSS v3.1 score of 8.0 (High), surfaced alongside per-environment compliance policy weighting so that teams with stricter policies see this escalated appropriately. Findings are routed to the designated inbox or ticketing integration configured for each customer organization.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Adobe ships a remediated release. Customers can also apply compensating controls in the interim through network-policy isolation and egress filtering, both configurable within HarborGuard policy settings.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; the attacker must be able to reach the AEM Forms JEE service from an internet or network-adjacent position to deliver the crafted URL.

  • AuthenticationNot required

    No account or credentials are needed; the attacker can initiate the attack as an unauthenticated party, relying entirely on victim interaction to execute the payload.

  • Victim interactionRequired

    The victim must click a maliciously crafted URL or visit a compromised web page, making a social-engineering or phishing step a prerequisite for exploitation.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the exploit depends on conditions beyond the attacker's direct control, such as specific browser state or environmental factors, making reliable triggering non-trivial.

Blast Radius

  • Reads the victim's active session tokens, cookies, and credential material stored or transmitted in the browser context.
  • Performs high-impact modifications on behalf of the victim, including submitting forms, changing account settings, or escalating privileges within the AEM Forms JEE application.
  • The changed scope means injected scripts can affect browser components or origins beyond the vulnerable page itself, broadening the attacker's reach beyond the directly targeted resource.
  • No availability impact is present; the service itself remains running while the attacker operates through the compromised session.

How HarborGuard Handles This

Available on HarborGuard: because Adobe has not yet published a fix for CVE-2026-34693, the platform monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix version exists. In the interim, compensating controls are available through HarborGuard policy configuration: network-policy rules can restrict external access to AEM Forms JEE endpoints, egress filtering can limit script-reachable destinations, and feature-flag gating can disable affected form rendering paths where operationally feasible. These measures reduce exposure surface while the upstream patch is pending.

See how HarborGuard automates this
Affected packages
  • Adobe / Adobe Experience Manager Forms JEE
    ≤ 6.5.24.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
References