Adobe Experience Manager versions 6.5.23 and earlier contain a stored XSS vulnerability (CWE‑79). The flaw allows a low‑privileged attacker to submit malicious JavaScript payloads through vulnerable form fields; the payload is then persisted and rendered to any user who accesses the affected page. The injected script executes in the context of the victim’s browser, enabling client‑side attacks such as session‑cookie theft, defacement of the site, phishing or malware delivery. The vulnerability does not provide any server‑side code‑execution or denial‑of‑service capability.

All Adobe Experience Manager installations running version 6.5.23 or older are affected. This includes the on‑premises 6.5.23 release, the 6.5 LTS build, the SP1 build, and any AEM Cloud Service deployments preceding 6.5.24. The supplied CPE strings confirm that any product matching these identifiers contains the vulnerability.

The CVSS v3 score of 5.4 indicates a moderate severity impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploits at this time. An attacker only needs the ability to submit data through a form; no elevated privileges are prerequisite. The stored payload is rendered to any user who views the affected page, making the risk primarily client‑side and potentially allowing credential theft or further phishing once a victim’s browser is compromised.