Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Assess
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier contain a stored Cross‑Site Scripting (XSS) vulnerability that allows a low‑privileged attacker to inject malicious JavaScript into vulnerable form fields. When a victim visits a page that contains the injected script, the script is executed in the victim’s browser, creating an opportunity for the attacker to manipulate page content, steal session data, or perform other client‑side actions.

Affected Systems

Affected systems are Adobe Experience Manager (vendor Adobe) version 6.5.23 and earlier. This includes the 6.5 LTS and 6.5 SP1 distributions, as well as the Adobe Experience Manager Cloud Service that incorporates these versions.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity, while the EPSS score of <1% suggests a low likelihood of widespread exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by submitting data to a susceptible form field that the system stores and later renders without proper sanitization, leading to execution of arbitrary scripts within the victim’s browser.

Generated by OpenCVE AI on March 17, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Adobe security advisory for updates and apply available patches to Adobe Experience Manager as soon as they are released.

Generated by OpenCVE AI on March 17, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:42.870Z

Reserved: 2026-02-18T22:02:41.386Z

Link: CVE-2026-27257

cve-icon Vulnrichment

Updated: 2026-03-11T13:31:05.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:56.413

Modified: 2026-03-11T14:28:22.293

Link: CVE-2026-27257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:37Z

Weaknesses