Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Malicious script execution in victim’s browser
Action: Patch
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability that can be abused by a low‑privileged attacker to inject malicious scripts into vulnerable form fields. When a victim browses a page containing the injected script, the malicious JavaScript is executed in the victim’s browser, allowing the attacker to steal credentials, hijack sessions or deliver additional malware.

Affected Systems

Affected systems are Adobe Experience Manager products, specifically the 6.5.23 release and all earlier 6.5 versions. The vulnerability applies to the on‑premises and cloud services as reflected in the applicable CPE namespace entries.

Risk and Exploitability

The CVSS score is 5.4, indicating a moderate impact. EPSS is below 1% and the vulnerability is not recorded in the CISA KEV catalog, suggesting a low probability of widespread exploitation. Attackers require only low‑privileged write access to form fields; no elevated privileges or network‑level access are needed. Once the script is stored, it will run in the browser context of any user viewing the page, making the attack vector a stored XSS leading to client‑side compromise.

Generated by OpenCVE AI on March 17, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager patch to a version newer than 6.5.23.
  • Verify that update was successful by checking the Incident Response Advisory for version confirmation.

Generated by OpenCVE AI on March 17, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:40.067Z

Reserved: 2026-02-18T22:02:41.382Z

Link: CVE-2026-27235

cve-icon Vulnrichment

Updated: 2026-03-11T13:29:42.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:53.300

Modified: 2026-03-11T15:15:42.870

Link: CVE-2026-27235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:34Z

Weaknesses