Adobe Experience Manager supports user‑generated content through form fields. A low‑privileged attacker can submit input that contains malicious JavaScript, which is then stored and later displayed to any staff who view the page. The stored script can execute in the victim’s browser, enabling cookie theft, session hijacking, or defacement, with a modified scope that expands the potential impact. The weakness matches CWE‑79, a classic unsanitized input weakness.

The vulnerability affects Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier. Users running these releases should verify their current version and apply updates.

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. A low‑privileged attacker who can submit data to a vulnerable form field can store malicious JavaScript, which will execute when an authenticated user opens the page. The attack requires the victim to view the page containing the stored payload and therefore relies on the victim visiting that page. The known impact is the execution of arbitrary client‑side code, which can lead to cookie theft, session hijacking, and defacement. Given the altered scope, the potential impact expands to any user who can view the page, not just the user who submitted the payload.