CVE-2026-34691 – Adobe Experience Manager Forms JEE

CVSS 9.3 CRITICAL Critical or Zero Day – Immediate Deployment

“A form field should collect data, not become a path to account compromise.”

Adobe patched two Cross-Site Scripting vulnerabilities in Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0, and earlier. CVE-2026-34691 is a stored XSS vulnerability with a CVSS score of 9.3, which is Critical severity. CVE-2026-34693 is a reflected XSS vulnerability with a CVSS score of 8.0, which is High severity.

Successful exploitation could allow malicious JavaScript to run in a victim’s browser, potentially giving an attacker elevated access or control over the victim’s account or session. CVE-2026-34693 requires user interaction through a crafted URL or compromised web page. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Affected Product
Adobe Experience Manager
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE Classification
CWE-79
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.