Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability (CWE‑79). The flaw allows a low‑privileged attacker to inject malicious JavaScript into certain form fields, which is executed in a victim’s browser when the victim accesses a page that contains the compromised field. This can lead to unintended script execution, potentially exposing confidential data or enabling further attacks from the victim’s session.

All installations of Adobe Experience Manager running version 6.5.23 or earlier are impacted, including on‑premises deployments. Based on the CPE entries that reference the aem_cloud_service variant, it is inferred that cloud deployments built on the same code base may also be vulnerable, although the vendor advisory does not explicitly state this.

The CVSS base score of 5.4 indicates moderate severity. The EPSS score of less than 1 % suggests that wide‑scale exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalogue. The attack requires the attacker to submit content to a vulnerable form field, a capability that can be obtained by any user with write access to that field. Therefore, while exploitation is not trivial, it is feasible for an authorized user with limited privileges to activate the vulnerability.