A stored Cross‑Site Scripting vulnerability exists in Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier. The flaw allows a low‑privileged attacker to inject malicious JavaScript into vulnerable form fields, which is then executed in the browser of anyone who views the affected page. The stored nature of the flaw means the malicious content persists and can be repeatedly exploited, potentially compromising the confidentiality and integrity of content and user sessions. The vulnerability is classified as CWE‑79 and carries a CVSS score of 5.4, indicating a medium severity risk if exploited.

Adobe Experience Manager operations running on any affected version such as 6.5.24, LTS SP1, 2026.04, or any earlier release. Users who can input content through form fields that are not properly sanitized are at risk. The impact applies to any user who accesses the compromised page, regardless of permission level.

The attack vector is likely via a web form entry point that accepts user input without sufficient sanitization. Once the malicious script is stored, it is served to all subsequent page viewers. The EPSS score is not available, but the CVSS rating of 5.4 suggests a moderate attack likelihood for many environments. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits are confirmed, yet the stored XSS nature provides a clear path for an attacker to gain arbitrary client‑side execution.