Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (Client‑Side)
Action: Patch
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier contain a stored Cross‑Site Scripting (XSS) vulnerability that allows an attacker to store malicious JavaScript in form fields. When a victim accesses the page containing the altered field, the injected script is executed in the victim’s browser. This client‑side execution is a classic example of CWE‑79, allowing potential attacks such as phishing, session hijacking, or defacement, depending on the attacker’s goals.

Affected Systems

The affected product is Adobe Experience Manager. All instances deployed with version 6.5.23 or earlier are vulnerable, as indicated by the CNA‑reported affected versions and the corresponding CPE entries for 6.5, LTS and SP1 releases.

Risk and Exploitability

The CVSS score of 5.4 classifies the issue as moderate severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by submitting malicious script payloads via normal user input into vulnerable form fields; the execution occurs when any user views the affected page, implying a remote attack vector that requires write access to the target environment. The required preconditions and discovery level are consistent with a typical stored XSS scenario.

Generated by OpenCVE AI on March 17, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the official Adobe Experience Manager security patch that addresses CVE-2026-27262, targeting all 6.5.23 and earlier releases.
  • If an update cannot be applied immediately, implement input validation or sanitization to strip <script> tags and other executable content from form fields as a temporary workaround.
  • Monitor web application logs and user activity for suspicious form submissions or injected scripts.
  • Apply or update web application firewall rules to block or filter out payloads containing JavaScript or script‑tag patterns.

Generated by OpenCVE AI on March 17, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:39.054Z

Reserved: 2026-02-18T22:02:41.386Z

Link: CVE-2026-27262

cve-icon Vulnrichment

Updated: 2026-03-11T13:29:17.563Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:57.110

Modified: 2026-03-11T14:50:28.597

Link: CVE-2026-27262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:29Z

Weaknesses