APSB26-56: thirty-plus XSS findings in one AEM bulletin — what the batch tells you
Adobe published APSB26-56 on June 9, 2026 — a security update for Adobe Experience Manager 6.5 and AEM as a Cloud Service. The advisory contains at least 36 cross-site scripting vulnerabilities, the overwhelming majority of them stored XSS, each carrying CVSS 5.4.
That number matters more than the severity score.
What the bulletin contains
Every finding in APSB26-56 shares the same profile: cross-site scripting via improper output encoding, low-privilege exploitation path (authenticated author access required), CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
Confirmed stored XSS CVEs (27): CVE-2026-47936, CVE-2026-47939, CVE-2026-47941, CVE-2026-47942, CVE-2026-47943, CVE-2026-47944, CVE-2026-47945, CVE-2026-47948, CVE-2026-47949, CVE-2026-47950, CVE-2026-47951, CVE-2026-47953, CVE-2026-47954, CVE-2026-47956, CVE-2026-47957, CVE-2026-47958, CVE-2026-47962, CVE-2026-47966, CVE-2026-47970, CVE-2026-47972, CVE-2026-47973, CVE-2026-47974, CVE-2026-47975, CVE-2026-47977, CVE-2026-47978, CVE-2026-47980, CVE-2026-47981
Confirmed DOM-based XSS CVEs (9): CVE-2026-47935, CVE-2026-47946, CVE-2026-47947, CVE-2026-47982, CVE-2026-47983, CVE-2026-47985, CVE-2026-47986, CVE-2026-47987, CVE-2026-47989
The bulletin’s full CVE list is longer than what was enumerated here — the advisory page truncates on initial load. The 36 above are confirmed; the actual total is likely higher.
The exploitation surface: AEM content authoring interfaces. An author-level account, or an author who pastes content from an untrusted source, can plant a payload that executes in any session that renders it. No administrative access required.
CVSS 5.4 looks modest against a remote code execution finding, but the effective blast radius is wider in practice. Content editors typically operate the most public-facing interfaces in an AEM deployment. A stored XSS in that context can reach site visitors, not just other authenticated users.
Why a batch of 36 says more than any individual CVE
A single stored XSS finding is noise. A batch of 36 from the same systematic audit is signal.
When Adobe identifies this many findings in a single bulletin, it indicates a coordinated security review of AEM’s component layer — not routine vulnerability triage. The review already happened. The bugs that would surface in an equivalent review of your current version have already been found; you either have the fix or you are running exposed.
There is a specific implication for teams on earlier service packs: the vulnerabilities that this audit surfaced exist across the prior service pack tree until patched. A team on 6.5.22 or 6.5.23 carries all 36 of these plus whatever the prior audit cycles fixed that they have not yet applied.
Batch disclosure is a trailing indicator of systematic review. APSB26-56’s 36 findings represent one audit cycle. The next cycle will produce another bulletin.
The upgrade cadence argument
APSB26-56 is addressed in AEM 6.5.24 and AEM as a Cloud Service (auto-applied). This is not an emergency hotfix — it is a service pack release. The fix has been available since June 9.
Teams running deferred upgrade cycles are making a specific trade: testing overhead of service pack validation against ongoing CVE exposure. For a single-CVE bulletin, that trade can be defensible. For a bulletin with 36 XSS findings against the author interface, the calculus is different.
Some specific implications:
- If your cycle puts you more than one service pack behind, you are carrying CVEs from at least two bulletin cycles.
- AEM 6.5.x ships quarterly service packs. A “wait for the next maintenance window” that stretches to six months is two full bulletin cycles of exposure.
- Each skipped service pack is not just the CVEs in that bulletin — it is that bulletin plus the systematic audit that produced it, applied to whichever component class Adobe reviewed next.
Upgrade cadence is not a development operations preference. It is a security posture decision with cumulative exposure in both directions.
What to do
- Check your version. AEM 6.5.24 addresses APSB26-56. Confirm your service pack level against the bulletin before your next maintenance window.
- Prioritize 6.5.24 if you are on 6.5.22 or earlier. You are carrying these 36 CVEs plus the delta from any skipped service packs between your current version and 6.5.24.
- Review your author trust model. Output encoding in custom components is defense-in-depth that reduces stored XSS surface regardless of patch level. If your authors routinely paste content from external sources, that review is worth running independently of your service pack schedule.
- Track service pack cadence as a security metric. How many service packs you are behind is a meaningful proxy for unpatched CVE exposure, particularly when Adobe’s systematic audits are producing batches of this size.
The 36 CVEs will be in your scanner by now. The batch pattern — a systematic component audit producing 36 findings across a single bulletin — is the signal worth acting on.
Sources: APSB26-56 — Security update available for Adobe Experience Manager (Adobe, June 9, 2026)