Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier contain a stored cross‑site scripting vulnerability that allows a low‑privileged attacker to inject malicious scripts into vulnerable form fields. When a user accesses a page containing the injected script, the JavaScript executes in the victim’s browser, potentially performing undesired actions.

Affected Systems

The affected product is Adobe Experience Manager, versions 6.5.23 and earlier, covering both on‑premise and cloud service deployments as represented by the listed CPE entries.

Risk and Exploitability

The CVSS score is 5.4, indicating medium severity. The EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low likelihood of exploitation. Attacking requires only low‑privilege access to submit data to a vulnerable form field; the stored nature of the flaw enables repeated impact on multiple users once injected.

Generated by OpenCVE AI on March 17, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review Adobe’s security advisory at https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html for the latest patch or fix.
  • Apply the most recent patch or upgrade to Adobe Experience Manager 6.5.24 or later if available.
  • If a patch is not immediately available, restrict public access to the vulnerable form fields or disable their functionality until a fix is applied.

Generated by OpenCVE AI on March 17, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:39.333Z

Reserved: 2026-02-18T22:02:41.381Z

Link: CVE-2026-27232

cve-icon Vulnrichment

Updated: 2026-03-11T13:29:24.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:52.813

Modified: 2026-03-11T14:59:08.877

Link: CVE-2026-27232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:29Z

Weaknesses