Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a stored Cross‑Site Scripting vulnerability (CWE‑79). A low‑privileged attacker can inject malicious JavaScript into form fields that are later rendered to users. When a victim opens the page containing the vulnerable field, the script executes in the victim's browser, potentially allowing the attacker to hijack sessions, steal credentials or deface the site. The vulnerability is considered stored because the malicious code is preserved in the system and served to all users who view the affected page.

Adobe Experience Manager product line, including all installations running version 6.5.24, the LTS Service Pack 1, the 2026.04 release, and any earlier releases of these versions.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score is currently not available. The vulnerability is not listed in the CISA KEV catalog. An attacker with limited privileges, possibly merely an authenticated content contributor, can exploit this flaw by submitting malicious input through a form field, thereby having the script stored and served to other users. Execution occurs in the victim's browser, so the impact is confined to the end‑user environment, but the ability to execute arbitrary code can lead to further compromise if the user then accesses sensitive internal resources.