CVE-2026-34691

Critical · CVSS 9.3

Adobe Experience Manager Forms JEE — Stored Cross-Site Scripting (XSS)

CVSS: 9.3; nvd
EPSS: 0.10%; 27th pct
KEV: No
Class: kernel local; CWE-79

Description

Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

Search profile — drives PoC discovery

Symbols AEM Forms JEEform fieldsmalicious scriptsstored XSSAPSB26-57elevated accesssession hijackingscope changed

Keywords CVE-2026-34691Adobe Experience Manager Forms JEE stored XSSAEM Forms JEE XSSAPSB26-57 PoCAEM Forms 6.5.24.0 XSSAdobe AEM Forms JEE vulnerabilityAEM Forms stored cross-site scriptingCVE-2026-34691 exploit

Versions: LTS SP1, 6.5.24.0 and earlier

References

https://helpx.adobe.com/security/products/aem-forms/apsb26-57.html

Status: enriched · ingested 2026-06-11T18:20:51.547Z · profiled 2026-06-16T18:20:23.035Z