Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting (XSS) flaw in Adobe Experience Manager that allows a low‑privileged attacker to inject malicious JavaScript into form fields. When an unsuspecting user visits a page containing the vulnerable field, the injected script executes in the user's browser, potentially leading to theft of credentials, session hijacking, or other malicious actions. The weakness maps to CWE‑79, representing improper handling of user input that leads to script execution.

Affected Systems

Adobe Experience Manager, in all 6.5.x releases up to and including version 6.5.23, and potentially earlier supported legacy releases. According to the known CPEs, the affected product families include the core Experience Manager application and the Adobe Experience Manager Cloud Service. Administrators should verify if their environment is running a version affected by this flaw.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests that the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Attackers would need access to create or edit content within a form field that is rendered on a publicly accessible page, implying a web‑based attack vector. Given the modest severity and low exploitation probability, the risk is moderate but should be addressed promptly.

Generated by OpenCVE AI on March 17, 2026 at 15:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Consult the Adobe Experience Manager security bulletin APSB26‑24 (https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html) to identify the patch or upgrade path.
  • Upgrade your AEM instance to a version newer than 6.5.23 (e.g., 6.5.24 or later) as recommended by the bulletin.
  • Enforce strict input validation and output encoding for all form fields to mitigate script injection if an immediate upgrade is not possible.
  • Consider disabling inline JavaScript in affected form fields or applying a web‑application firewall rule to block suspicious scripts.

Generated by OpenCVE AI on March 17, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:38.656Z

Reserved: 2026-02-18T22:02:41.384Z

Link: CVE-2026-27251

cve-icon Vulnrichment

Updated: 2026-03-11T13:29:07.500Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:55.377

Modified: 2026-04-06T14:07:42.043

Link: CVE-2026-27251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:27Z

Weaknesses