The vulnerability is a stored Cross‑Site Scripting flaw present in Adobe Experience Manager (AEM) that allows a low‑privileged attacker who can inject data into form fields to embed malicious JavaScript. When a victim subsequently views the page containing the poisoned field, their browser executes the attacker’s script, potentially leading to session hijacking, credential theft, or defacement. The problem resides in insufficient input validation and output encoding for form field content (CWE‑79). The vendor has identified that the issue is present in all releases up to version 6.5.24, LTS SP1, and 2026.04, meaning the flaw affects a broad set of deployments.

Affected products include Adobe Experience Manager, specifically versions 6.5.24, LTS SP1, 2026.04 and any earlier releases. Users running those versions are at risk because the flaw is embedded in the core content management components that accept and render user‑supplied form data.

The CVSS score is 5.4, indicating moderate severity; the EPSS score is not available, so the likelihood of exploitation cannot be quantified, and the issue is not currently listed in the CISA KEV catalog. Attackers appear to exploit the flaw by creating or editing content that contains malicious script in a form field and then convincing a legitimate user to view that content. The change in scope suggests that the vulnerability can extend beyond the original attacker’s permissions, potentially affecting other users who view the content.