Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability that can be abused by a low‑privileged attacker to inject malicious scripts into vulnerable form fields. The injected JavaScript is executed when a victim visits a page containing the field, potentially compromising data integrity, confidentiality, and enabling phishing or further exploitation. The weakness is identified as CWE‑79.

Affected Systems

Affected systems include Adobe Experience Manager, specifically versions 6.5.23 and earlier. No additional vendor or product variants are explicitly listed beyond the general Adobe Experience Manager family.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity, and the EPSS score is <1%, suggesting low exploit probability. This vulnerability is not listed in the CISA KEV catalog. Attackers require only low privileges, such as a content author, to inject payloads into form fields. Once injected, the payload persists until removed, giving the attacker a persistent foothold for client‑side attacks.

Generated by OpenCVE AI on March 17, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Experience Manager patch or upgrade to a version newer than 6.5.23.
  • Audit all AEM instances to confirm they are running a patched version and that no legacy 6.5.23 or earlier versions remain.
  • Monitor web application logs and user activity for signs of unexpected script execution or XSS attempts.

Generated by OpenCVE AI on March 17, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:40.931Z

Reserved: 2026-02-18T22:02:41.387Z

Link: CVE-2026-27265

cve-icon Vulnrichment

Updated: 2026-03-11T13:30:11.200Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:57.627

Modified: 2026-03-11T14:55:29.760

Link: CVE-2026-27265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:38Z

Weaknesses