A stored Cross‑Site Scripting vulnerability allows a low‑privileged attacker to inject malicious JavaScript into vulnerable form fields. When a user opens the affected page, the browser executes the injected script, potentially hijacking the user’s session or stealing data. The nature of the flaw is a classic client‑side script injection, classified as CWE‑79. The likely attack vector is through user‑submitted form data; the attacker does not need elevated permissions and can embed payloads by exploiting the field that is later rendered without proper sanitization. Impacts span confidentiality, integrity and availability for users of the affected form: an attacker can gain knowledge of the victim’s session, deface content, or conduct phishing. These consequences are tied to the user’s browser context and therefore occur only when a legitimate user navigates to the vulnerable page.

Adobe Experience Manager versions 6.5.24, the LTS SP1 release, and the 2026.04 release, as well as all earlier revisions, are affected. The vulnerability exists across these vulnerable releases of Adobe Experience Manager, regardless of deployment environment. All installations of Adobe Experience Manager that are running one of the affected releases are potentially exposed. The impacted functionality is the form fields that accept user input. The vulnerability is scoped to the application level, for configuration·control (scope is changed).

The CVSS score of 5.4 indicates a moderate impact, largely due to the requirement of interacting with the vulnerable form for exploitation. The EPSS score is not available, so no quantitative estimate of current exploitation activity can be provided. The vulnerability is not listed in the CISA KEV catalog, meaning no known publicly exploited exploits have been documented at the time of this analysis. An attacker with minimal privileges can inject scripts via form input; no network or privilege escalation is necessary. Because the flaw is a stored XSS, exploitation requires a victim to visit the affected page, which allows attackers to potentially hijack the victim’s session and steal sensitive information.