This vulnerability allows a low‑privileged attacker to store malicious JavaScript in form fields of Adobe Experience Manager (AEM) versions 6.5.23 and earlier, resulting in arbitrary client‑side script execution when a victim views the affected page. Key detail from the vendor advisory: AEM stores the attacker‑supplied payload without proper sanitization, which triggers a stored Cross‑Site Scripting (XSS) flaw (CWE‑79). This can lead to data theft, session hijacking, or defacement of the website from the victim's browser.

Affected products include Adobe Experience Manager 6.5.23 and all earlier releases of the 6.5 series. The vulnerability applies to both the standard edition and the AEM Cloud Service variant, as indicated by the Common Platform Enumeration identifiers provided by Adobe. Key detail from the vendor advisory confirms the 6.5.23 cutoff and lists these affected editions.

The assigned CVSS v3.1 score is 5.4, indicating medium severity; the EPSS score is less than 1%, suggesting a low probability of active exploitation, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is low‑privilege (the attacker only needs the ability to submit form data), but the impact is client‑side and can be triggered by any user who views the malicious content. Key detail from the vendor advisory and the CVSS calculation confirm the level of risk. Reference: https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html.