CVE-2026-27225 - Vulnerability Details

- Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Published: 2026-03-11

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier are vulnerable to a stored Cross‑Site Scripting (XSS) flaw. A low‑privileged attacker can inject malicious JavaScript into vulnerable form fields. When a victim loads a page containing the injected content, the script runs in the victim’s browser, enabling client‑side attacks. The weakness corresponds to CWE‑79, Improper Input Validation.

Affected Systems

Affected product is Adobe Experience Manager. All releases up to and including version 6.5.23 are impacted. The affected CPE entries include cpe:2.3:a:adobe:experience_manager:6.5:*:*:lts:*:*:*, cpe:2.3:a:adobe:experience_manager:*:*:*:aem_cloud_service:*:*:* and other associated identifiers. Any deployment running these versions is at risk.

Risk and Exploitability

CVSS base score 5.4 indicates moderate severity. EPSS below 1% implies low likelihood of exploitation. Not listed in CISA’s KEV catalog. Exploitation requires an attacker to submit malicious input to the vulnerable form field and a subsequent user to view the affected page, which indicates a web‑based attack vector dependent on user interaction.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Adobe Experience Manager

affected

Version	Status	Constraints
`0`	affected	≤ 6.5.23

Configuration 1 [-]

OR	cpe:2.3:a:adobe:experience_manager:::::-:::*
	cpe:2.3:a:adobe:experience_manager:::::aem_cloud_service:::*
	cpe:2.3:a:adobe:experience_manager:6.5:-:::lts:::*
	cpe:2.3:a:adobe:experience_manager:6.5:sp1:::lts:::*

No data.

Vendor Product Confidence Versions

Adobe

Adobe Experience Manager

100%

Version	Status	Scheme	Platform
`[0,6.5.23]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check Adobe’s security advisories for a patch that addresses the stored XSS vulnerability in Experience Manager.
If a patch is available, download and apply the update to a version later than 6.5.23 as soon as feasible.
After updating, validate the fix by testing with a known malicious payload or reviewing the relevant code to ensure the vulnerable form fields are protected.
If an immediate update is not possible, restrict access to the vulnerable form fields to trusted users and monitor traffic for abnormal input patterns as a temporary mitigation.

Generated by OpenCVE AI on March 17, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html

History

Wed, 11 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe experience Manager
CPEs		cpe:2.3:a:adobe:experience_manager:::::-:::* cpe:2.3:a:adobe:experience_manager:::::aem_cloud_service:::* cpe:2.3:a:adobe:experience_manager:6.5:-:::lts:::* cpe:2.3:a:adobe:experience_manager:6.5:sp1:::lts:::*
Vendors & Products		Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe adobe Experience Manager
Vendors & Products		Adobe Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title		Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses		CWE-79
References		https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Adobe Adobe Experience Manager Experience Manager

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-03-11T00:23:26.339Z

Updated: 2026-03-11T13:38:40.303Z

Reserved: 2026-02-18T22:02:41.380Z

Link: CVE-2026-27225

Vulnrichment

Updated: 2026-03-11T13:29:47.335Z

NVD

Status : Analyzed

Published: 2026-03-11T01:16:51.803

Modified: 2026-03-11T15:13:23.730

Link: CVE-2026-27225

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T14:38:35Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object