Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

An attacker can embed malicious JavaScript into form fields in Adobe Experience Manager 6.5.23 and earlier. The script is stored on the server and executed in a victim’s browser when they view the affected page. This stored XSS vulnerability is identified as CWE‑79.

Affected Systems

Adobe Experience Manager versions 6.5.23 and earlier, including the base 6.5 LTS releases and the service‑pack sp1 LTS, are affected. The CVE also lists the AEM cloud service as vulnerable, per the CPES enumeration.

Risk and Exploitability

The CVSS base score is 5.4, classifying the issue as moderate. The EPSS score is less than 1 %, indicating low current exploitation probability. It is not listed in the CISA KEV catalog. The attack requires submitting malicious content to a vulnerable form field, after which any user who loads the page will have the script executed in their browser.

Generated by OpenCVE AI on March 17, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch: upgrade Adobe Experience Manager to version 6.5.24 or later as described in the Adobe security advisory APSB26-24 (https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html).
  • If an upgrade is not immediately possible, mitigate by disabling or sanitizing the vulnerable form fields to prevent script injection.

Generated by OpenCVE AI on March 17, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:42.354Z

Reserved: 2026-02-18T22:02:41.381Z

Link: CVE-2026-27229

cve-icon Vulnrichment

Updated: 2026-03-11T13:30:48.322Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:52.300

Modified: 2026-03-11T15:01:13.723

Link: CVE-2026-27229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:32Z

Weaknesses