Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier contain a stored cross-site scripting vulnerability. A low-privileged attacker could insert malicious JavaScript into certain form fields that are stored and later rendered on a page. When a user visits that page, the injected script runs in the victim's browser, allowing the attacker to affect client-side execution.

Affected Systems

Affected systems include all Adobe Experience Manager 6.5 releases up to and including 6.5.23, as well as the SP1 update for 6.5. The CPE entries in the CVE list also cover the 6.5 base and sp1 packages; any release newer than 6.5.23 is presumed not to contain the flaw.

Risk and Exploitability

The CVE has a CVSS score of 5.4, indicating moderate severity. The EPSS score is below 1%, so public exploitation is considered unlikely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only low privilege to submit data to a vulnerable form field, which is then stored and later displayed, making the attack vector straightforward for a user with limited access rights.

Generated by OpenCVE AI on March 17, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager patch (6.5.24 or later).
  • Verify patch deployment by checking the product version.

Generated by OpenCVE AI on March 17, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:41.385Z

Reserved: 2026-02-18T22:02:41.382Z

Link: CVE-2026-27240

cve-icon Vulnrichment

Updated: 2026-03-11T13:30:23.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:53.997

Modified: 2026-03-11T15:18:09.910

Link: CVE-2026-27240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:40Z

Weaknesses