MEDIUM 5.4

CVE-2026-47941: Stored XSS in Adobe Experience Manager—CVSS 5.4 Medium

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier contain a stored cross-site scripting (XSS) flaw in form field handling. A low-privileged user can inject malicious JavaScript that persists in the application and executes in other users' browsers when they view the affected page. This is a persistence problem: the attack code lives in the application, not just in a URL or temporary input. The scope change means the XSS can affect resources beyond the vulnerable component itself.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Adobe Experience Manager's form field processing logic (CWE-79: Improper Neutralization of Input During Web Page Generation). A low-privileged authenticated attacker can insert unescaped or inadequately sanitized JavaScript into form fields. Because the malicious payload is stored server-side, it executes in the security context of the victim's browser session whenever they navigate to or reload the page containing that field. The CVSS 3.1 score of 5.4 (Medium) reflects the requirement for both low-privilege user interaction and user interaction (UI:R), combined with limited confidentiality and integrity impact and no availability impact (C:L, I:L, A:N). Scope change (S:C) indicates the attack can affect components or data outside the vulnerable form field itself.

Business impact

Stored XSS in an enterprise content management platform like Experience Manager can enable attackers to harvest sensitive information from authorized users, escalate privileges through phishing or credential capture, modify or deface published content, redirect users to malicious sites, or inject cryptominers. Organizations using AEM for customer-facing portals, internal collaboration, or asset management face potential data exfiltration and brand damage. Remediation requires patching across multiple product versions, creating compliance and operational risk if legacy instances cannot be updated immediately.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are vulnerable. Organizations should verify their exact AEM versions and service pack levels against the vendor advisory to determine exposure. Both on-premises and cloud-managed deployments are affected if running vulnerable builds.

Exploitability

The vulnerability requires low privilege (PR:L) and user interaction (UI:R), meaning an attacker needs a valid user account with form submission capability and must convince or wait for another user to visit the affected page. This is a moderate barrier but realistic in shared environments. The attack requires no special tools or advanced techniques—standard form submission methods suffice. It is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog, but the straightforward nature of stored XSS makes it a likely target for weaponization once patches are available for comparison.

Remediation

Apply Adobe's security updates for Experience Manager as soon as they become available. Verify patch version numbers against Adobe's official security bulletin. In parallel, apply input validation and output encoding controls at the application level if custom form fields exist. Implement Content Security Policy (CSP) headers to mitigate XSS impact. Review access controls to ensure only necessary users can submit forms, and audit form submissions for unusual or suspicious input patterns. If immediate patching is not feasible, restrict access to vulnerable forms to trusted users only.

Patch guidance

Consult Adobe's official security advisory for the specific patch versions that remediate CVE-2026-47941. Test patches in a staging environment replicating your form workflows before production deployment. Prioritize instances that process or display user-submitted content to external audiences. For organizations running multiple AEM versions, develop a phased patching plan, beginning with the most exposed systems. Document patch deployment to satisfy compliance and incident response protocols.

Detection guidance

Monitor web application logs and form submission endpoints for unusual characters or script tags (e.g., <script>, javascript:, onerror=, onload=). Search existing form field data in Experience Manager for evidence of injected payloads using terms like <script>, event handlers (on*=), or data: URIs. Implement browser-based detection of XSS execution through Content Security Policy violation reports. Use network intrusion detection signatures tuned to identify stored XSS patterns if available from your IDS vendor. Correlate user access logs with form modification timestamps to identify suspicious submission patterns.

Why prioritize this

Although CVSS score is Medium (5.4), the attack surface in a multi-user CMS environment is broad. Form field XSS can affect any user viewing content, making potential victim count high in large deployments. The stored nature of the flaw means it persists until actively remediated, unlike reflected XSS. Organizations with public-facing AEM instances or high-value internal collaboration platforms should prioritize patching. Compliance frameworks (PCI-DSS, HIPAA, SOC 2) often mandate remediation of stored XSS within 30 days, raising business urgency beyond the numerical risk score.

Risk score, explained

CVSS 3.1 score of 5.4 (Medium) reflects a required low privilege account and user interaction, limiting the immediate threat from entirely unauthenticated attackers. However, the scope change (S:C) indicates cross-component impact, and the stored nature of the payload means victims are at risk continuously until the form data is purged or patched. Organizations should not underestimate risk based on the Medium rating alone; context such as number of users, sensitivity of data displayed alongside forms, and regulatory obligations should inform priority.

Frequently asked questions

Do we need to patch all Adobe Experience Manager versions, or only the ones listed?

Yes, patch all vulnerable versions listed in the advisory: 6.5.24, LTS SP1, 2026.04, and earlier. Check your deployment for exact version and service pack, then verify the minimum patch version required against Adobe's official security bulletin. Some versions may be out of support; consult Adobe for guidance on legacy instances.

Can Web Application Firewalls (WAF) or input filters block this attack?

WAFs configured to block script tags and event handlers in form submissions can reduce risk, but they are not a substitute for patching. Attackers may find encoding or obfuscation bypasses, and internal applications may legitimately submit HTML in certain fields. WAF rules should complement—not replace—prompt patching and secure coding practices.

What is the difference between this stored XSS and a reflected XSS attack?

Stored XSS persists in the application database (in this case, form fields), so any user viewing the page is at risk, even if they did not submit malicious input. Reflected XSS only affects users who click a malicious link; it requires active attacker delivery. Stored XSS is generally considered more dangerous because it has a broader and longer-lasting impact.

Is this vulnerability exploited in the wild currently?

This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, stored XSS is a well-understood attack pattern, and this flaw may be exploited opportunistically once public details and patches are available. Assume active exploitation is possible once patches exist.

This analysis is for informational purposes and does not constitute legal, compliance, or professional security advice. Patch version numbers, affected product details, and CVSS scores are derived from official vendor advisories and NIST/CISA databases current as of the published date. Organizations must verify their specific product versions and consult Adobe's official security bulletin for authoritative patch information and remediation timelines. Testing in a non-production environment before deploying patches is strongly recommended. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and assumes no liability for decisions or actions taken based on this content. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).