Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side Script Execution
Action: Patch Now
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability that could be abused by a low‑privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Affected Systems

Affected systems are Adobe Experience Manager 6.5.23 and all earlier releases, including the 6.5 LTS and SP1 builds. The common platform enumeration list confirms that all 6.5 variants are susceptible.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a low‑privileged attacker who can submit data through a form field within the application; no remote code execution or purely network‑based exploit is described.

Generated by OpenCVE AI on March 17, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied security patch that addresses CVE‑2026‑27244, as detailed in Adobe’s advisory at https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html. The patch upgrades affected installations to version 6.5.24 or newer, ensuring that form fields properly sanitize user input.

Generated by OpenCVE AI on March 17, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:38.462Z

Reserved: 2026-02-18T22:02:41.383Z

Link: CVE-2026-27244

cve-icon Vulnrichment

Updated: 2026-03-11T13:29:03.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:54.520

Modified: 2026-03-11T15:19:30.753

Link: CVE-2026-27244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:26Z

Weaknesses