MEDIUM 5.4

CVE-2026-47936: Adobe Experience Manager Stored XSS

Adobe Experience Manager contains a stored cross-site scripting (XSS) flaw that allows attackers with basic user permissions to embed malicious code into form fields. When other users view those pages, the attacker's JavaScript runs in their browsers. This is particularly concerning because the injected script can affect other domains or applications (indicated by the changed scope), potentially compromising session tokens or sensitive data from multiple contexts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47936 is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager 6.5.24, LTS SP1, 2026.04 and earlier versions. The vulnerability exists in form field handling, where insufficient input sanitization permits authenticated attackers to persist malicious JavaScript payloads. When victim users browse to the affected page, the browser executes the injected script in their security context. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, low privilege requirement, required user interaction, changed scope, and resulting confidentiality and integrity impact without availability loss.

Business impact

Stored XSS in a content management platform like Experience Manager poses significant operational and reputational risk. Attackers can deface published content, steal session credentials from site visitors, redirect users to malicious domains, or harvest sensitive information submitted through forms. The changed scope means an attacker could potentially pivot from AEM into integrated downstream systems or trusted partner applications. Organizations relying on AEM to deliver trusted digital experiences face customer confidence erosion if the vulnerability is exploited at scale.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are vulnerable. Organizations running any of these versions should prioritize inventory and remediation. Notably, no versions are listed as patched in the source data; verify the latest vendor advisories for patch availability and version upgrade paths specific to your deployment model (on-premise or cloud-managed).

Exploitability

The vulnerability requires authentication (low-privilege user account) and user interaction (victim must visit the malicious page), which moderates exploitability compared to unauthenticated flaws. However, attackers often gain initial account access through credential compromise or insider threats, making this a practical attack vector in real environments. The straightforward nature of XSS—no special bypass techniques or race conditions required—means exploitation is relatively straightforward once form field injection is discovered.

Remediation

Immediately verify your AEM instance versions against the vendor's official advisory to confirm patch availability. If patched versions exist for your branch, prioritize upgrade scheduling, especially for internet-facing or high-traffic AEM instances. Until patching, implement compensating controls: disable or restrict access to affected form fields, apply Web Application Firewall (WAF) rules to block suspicious script patterns in form submissions, and enforce strong Content Security Policy (CSP) headers to limit script execution scope.

Patch guidance

Check Adobe's official security advisory to identify patched versions for 6.5.x, LTS SP1, and 2026 branches. Schedule testing of patches in non-production environments to validate compatibility with custom extensions and integrations before production deployment. If your organization uses Adobe's cloud-managed Experience Manager offering, verify whether Adobe has already applied patches to your tenant and confirm through release notes.

Detection guidance

Monitor AEM audit logs for suspicious form field submissions containing script tags or JavaScript keywords (e.g., <script>, onerror, onclick). Web Application Firewall and proxy logs should be reviewed for HTTP requests containing encoded script payloads destined for form endpoints. Conduct a manual or automated scan of published pages for stored script content in form fields or other user-editable zones. Consider enabling AEM's built-in content validation and sanitization features if not already active.

Why prioritize this

Although the CVSS score is MEDIUM (5.4), the combination of stored persistence, changed scope affecting downstream systems, and the prevalence of AEM in enterprise digital platforms warrants elevated attention. Stored XSS is more dangerous than reflected variants because the payload remains in the system and affects all visitors. Assign this a high-priority remediation window—ideally 30 days or less for internet-exposed instances.

Risk score, explained

The CVSS 5.4 MEDIUM severity reflects the moderate bar for exploitation (authentication required, user interaction needed) balanced against meaningful impact (confidentiality and integrity compromise, scope change). However, context matters: if your AEM instance serves high-value customer interactions or integrates with sensitive back-end systems, operational risk may exceed the base CVSS. Adjust your internal risk rating upward if AEM is a trusted entry point to downstream applications or handles personal data.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires a valid, low-privilege user account on the AEM instance. Attackers must first obtain credentials through phishing, credential stuffing, or account provisioning abuse. However, once authenticated, very minimal privileges are needed to inject malicious form content.

What does 'scope is changed' mean in the CVSS vector?

'Scope changed' indicates that the vulnerable component (AEM form field) can impact resources beyond its security boundary. This means the injected script can access cookies, APIs, or data from other domains or integrated applications if those resources share the same origin or trust relationship. This increases severity because an attacker's reach extends beyond the single AEM page.

Is this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog?

No, this vulnerability is not currently listed in CISA's KEV catalog, meaning there is no confirmed evidence of active exploitation in the wild as of the published date. However, the absence of KEV status does not indicate low risk—stored XSS is a well-understood attack class with readily available tools and techniques.

What is the difference between this XSS and a typical website comment-based XSS?

While both are stored XSS, this vulnerability is particularly concerning in AEM because form data in a content management system often reaches wide audiences of users and may be trusted more implicitly than user comments. Additionally, AEM's integration with marketing, personalization, and downstream applications means the payload can potentially affect customer data flows beyond the immediate page.

This analysis is based on publicly available information and the vendor advisory as of June 2026. Patch availability, version numbers, and specific remediation timelines should be verified directly with Adobe's security advisories and your organization's software procurement channels. SEC.co does not provide legal or compliance advice; consult your security and legal teams regarding regulatory reporting obligations for this vulnerability. No exploit code or weaponized tools are provided or endorsed by this analysis. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).