Adobe Experience Manager versions 6.5.23 and earlier are vulnerable to a stored Cross‑Site Scripting (XSS) flaw that permits a low‑privileged attacker to inject malicious JavaScript into form fields. When a victim visits a page containing the compromised field, the browser executes the injected script, enabling the attacker to steal session cookies, deface content, or redirect users to malicious sites. This vulnerability is classified as CWE‑79, representing improper handling of untrusted user input.

The affected product is Adobe Experience Manager (AEM) version 6.5.23 and all earlier releases. The official vendor reports that any deployment of AEM 6.5.23 or lower is susceptible, regardless of whether the installation is on‑premises or part of the AEM Cloud Service.

The CVSS score of 5.4 indicates moderate impact, while the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog. An attacker could exploit the vulnerability by inserting crafted input into any form field that the application stores and later renders. Successful exploitation would occur when an end‑user browses the affected page, making the most likely attack vector a browser‑based interaction triggered by an unsuspecting user.