Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Browser-based XSS
Action: Apply Patch
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier are vulnerable to a stored Cross‑Site Scripting (XSS) flaw. The flaw allows an attacker to inject malicious JavaScript into form fields that are subsequently rendered to users. When a victim visits a page containing the affected field, the script executes in the victim's browser, potentially enabling credential theft, session hijacking, or defacement. The weakness is a classic input‑validation defect (CWE‑79).

Affected Systems

The vulnerability affects Adobe Experience Manager, version 6.5.23 and all earlier releases. Affected CPEs include adobe:experience_manager:6.5:* and its change‑pack derivatives used by on‑premise and cloud services. Any deployment that uses these versions and allows unauthenticated or authenticated users to submit and store content in the web interface is susceptible.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity, and the EPSS probability is below 1%, suggesting low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit it by submitting crafted input through vulnerable form fields, a web‑based attack vector that requires remote access to the content authoring interface. Patching remains the most reliable mitigation.

Generated by OpenCVE AI on March 17, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager security update that addresses CVE‑2026‑27224.
  • If an immediate patch is unavailable, implement input validation or sanitization on all form fields that store user input.
  • Deploy a Content Security Policy to mitigate execution of injected scripts.
  • Monitor web application logs for unusual scripting activity and review stored content for unsanitized scripts.

Generated by OpenCVE AI on March 17, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:43.367Z

Reserved: 2026-02-18T22:02:41.380Z

Link: CVE-2026-27224

cve-icon Vulnrichment

Updated: 2026-03-11T13:31:15.914Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:51.620

Modified: 2026-03-11T15:13:44.760

Link: CVE-2026-27224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:39Z

Weaknesses