Adobe published APSB26-56 on June 9, 2026 — a security update for Adobe Experience Manager 6.5 and AEM as a Cloud Service. The advisory contains at least 36 cross-site scripting vulnerabilities, the overwhelming majority of them stored XSS, each carrying CVSS 5.4.

That number matters more than the severity score.

What the bulletin contains

Every finding in APSB26-56 shares the same profile: cross-site scripting via improper output encoding, low-privilege exploitation path (authenticated author access required), CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Confirmed stored XSS CVEs (27): CVE-2026-47936, CVE-2026-47939, CVE-2026-47941, CVE-2026-47942, CVE-2026-47943, CVE-2026-47944, CVE-2026-47945, CVE-2026-47948, CVE-2026-47949, CVE-2026-47950, CVE-2026-47951, CVE-2026-47953, CVE-2026-47954, CVE-2026-47956, CVE-2026-47957, CVE-2026-47958, CVE-2026-47962, CVE-2026-47966, CVE-2026-47970, CVE-2026-47972, CVE-2026-47973, CVE-2026-47974, CVE-2026-47975, CVE-2026-47977, CVE-2026-47978, CVE-2026-47980, CVE-2026-47981

Confirmed DOM-based XSS CVEs (9): CVE-2026-47935, CVE-2026-47946, CVE-2026-47947, CVE-2026-47982, CVE-2026-47983, CVE-2026-47985, CVE-2026-47986, CVE-2026-47987, CVE-2026-47989

The bulletin’s full CVE list is longer than what was enumerated here — the advisory page truncates on initial load. The 36 above are confirmed; the actual total is likely higher.

The exploitation surface: AEM content authoring interfaces. An author-level account, or an author who pastes content from an untrusted source, can plant a payload that executes in any session that renders it. No administrative access required.

CVSS 5.4 looks modest against a remote code execution finding, but the effective blast radius is wider in practice. Content editors typically operate the most public-facing interfaces in an AEM deployment. A stored XSS in that context can reach site visitors, not just other authenticated users.

Why a batch of 36 says more than any individual CVE

A single stored XSS finding is noise. A batch of 36 from the same systematic audit is signal.

When Adobe identifies this many findings in a single bulletin, it indicates a coordinated security review of AEM’s component layer — not routine vulnerability triage. The review already happened. The bugs that would surface in an equivalent review of your current version have already been found; you either have the fix or you are running exposed.

There is a specific implication for teams on earlier service packs: the vulnerabilities that this audit surfaced exist across the prior service pack tree until patched. A team on 6.5.22 or 6.5.23 carries all 36 of these plus whatever the prior audit cycles fixed that they have not yet applied.

Batch disclosure is a trailing indicator of systematic review. APSB26-56’s 36 findings represent one audit cycle. The next cycle will produce another bulletin.

The upgrade cadence argument

APSB26-56 is addressed in AEM 6.5.24 and AEM as a Cloud Service (auto-applied). This is not an emergency hotfix — it is a service pack release. The fix has been available since June 9.

Teams running deferred upgrade cycles are making a specific trade: testing overhead of service pack validation against ongoing CVE exposure. For a single-CVE bulletin, that trade can be defensible. For a bulletin with 36 XSS findings against the author interface, the calculus is different.

Some specific implications:

  • If your cycle puts you more than one service pack behind, you are carrying CVEs from at least two bulletin cycles.
  • AEM 6.5.x ships quarterly service packs. A “wait for the next maintenance window” that stretches to six months is two full bulletin cycles of exposure.
  • Each skipped service pack is not just the CVEs in that bulletin — it is that bulletin plus the systematic audit that produced it, applied to whichever component class Adobe reviewed next.

Upgrade cadence is not a development operations preference. It is a security posture decision with cumulative exposure in both directions.

What to do

  1. Check your version. AEM 6.5.24 addresses APSB26-56. Confirm your service pack level against the bulletin before your next maintenance window.
  2. Prioritize 6.5.24 if you are on 6.5.22 or earlier. You are carrying these 36 CVEs plus the delta from any skipped service packs between your current version and 6.5.24.
  3. Review your author trust model. Output encoding in custom components is defense-in-depth that reduces stored XSS surface regardless of patch level. If your authors routinely paste content from external sources, that review is worth running independently of your service pack schedule.
  4. Track service pack cadence as a security metric. How many service packs you are behind is a meaningful proxy for unpatched CVE exposure, particularly when Adobe’s systematic audits are producing batches of this size.

The 36 CVEs will be in your scanner by now. The batch pattern — a systematic component audit producing 36 findings across a single bulletin — is the signal worth acting on.


Sources: APSB26-56 — Security update available for Adobe Experience Manager (Adobe, June 9, 2026)