Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a stored XSS flaw (CWE-79). A low‑privileged attacker can add malicious JavaScript into form fields that the system stores and later shows to other users. When a victim visits the page containing the field, the browser executes the attacker’s script, enabling the attacker to hijack the user’s session, steal credentials, or perform other client‑side attacks. The flaw resides in the way the product handles user‑submitted form data, and its CVSS score of 5.4 reflects a moderate severity level.

The affected products are Adobe Experience Manager releases 6.5.24, the LTS SP1 variant, and the 2026.04 release, as well as any earlier builds. Users who run these versions and allow form input to be stored in a user‑modifiable area are at risk. The vulnerability is tied to generic form fields, which could appear in data entry, content management, and workflow components.

The risk is moderate, and the vulnerability can be exploited by anyone who can submit data through a vulnerable form, without needing privileged access. The lack of an EPSS score makes exact exploitation likelihood unclear, but the CVSS rating of 5.4 indicates it could have a noticeable impact if abused. Because the flaw is stored, it can persist across sessions, and its presence in the KEV catalog is not yet recorded. Attackers typically would inject JavaScript via the form, which is then rendered to other users’ browsers, granting a range of client‑side attacks. Preventing execution of untrusted input or applying the vendor patch are the primary defenses.