Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability that allows a low‑privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. The weakness is identified as CWE‑79 and poses a threat of script execution within the victim’s session.

Affected Systems

The affected product is Adobe Experience Manager, specifically versions 6.5.23 and all earlier releases, including the 6.5 sp1 variant.

Risk and Exploitability

This vulnerability carries a CVSS score of 5.4 and an EPSS score of less than 1 %. The information available indicates that exploitation requires a low‑privileged attacker to submit malicious input that is stored, and the execution occurs when a user visits the page containing that stored input. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Generated by OpenCVE AI on March 17, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe Experience Manager security update to a version newer than 6.5.23 (e.g., 6.5.24 or later).
  • Verify that the patch has been applied and that vulnerable form fields no longer accept JavaScript inputs.

Generated by OpenCVE AI on March 17, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:42.208Z

Reserved: 2026-02-18T22:02:41.381Z

Link: CVE-2026-27230

cve-icon Vulnrichment

Updated: 2026-03-11T13:30:44.496Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:52.473

Modified: 2026-03-11T15:00:20.663

Link: CVE-2026-27230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:31Z

Weaknesses