Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

Adobe Experience Manager versions 6.5.23 and earlier contain a stored Cross‑Site Scripting vulnerability (CWE‑79). A low‑privileged attacker can inject malicious JavaScript into vulnerable form fields, causing the script to execute in the browsers of any user who views the affected page, potentially leading to session hijacking or credential theft.

Affected Systems

Adobe Experience Manager, specifically versions 6.5.23 and all earlier releases, across both on‑premises and cloud deployments.

Risk and Exploitability

The vulnerability has a CVSS v3 score of 5.4 (medium), an EPSS score of less than 1 % indicating low current exploit likelihood, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to submit crafted input into a vulnerable form, which is then stored and rendered, making the attack path straightforward once the malicious payload is accepted.

Generated by OpenCVE AI on March 17, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe Experience Manager security update that addresses CVE‑2026‑27266. Refer to the Adobe advisory at https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html for update details.
  • If the patch is not yet available, mitigate by sanitizing all user‑supplied input on form fields and ensuring that output is properly encoded to prevent script injection.

Generated by OpenCVE AI on March 17, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe experience Manager
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*
Vendors & Products Adobe experience Manager

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Experience Manager
Vendors & Products Adobe
Adobe adobe Experience Manager

Wed, 11 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Title Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Experience Manager Experience Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:38:42.487Z

Reserved: 2026-02-18T22:02:41.387Z

Link: CVE-2026-27266

cve-icon Vulnrichment

Updated: 2026-03-11T13:30:51.416Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T01:16:57.787

Modified: 2026-03-11T14:55:52.247

Link: CVE-2026-27266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:33Z

Weaknesses