CVE-2026-47943: Adobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
Adobe Experience Manager (AEM) contains a stored cross-site scripting vulnerability affecting versions 6.5.24, LTS SP1, 2026.04 and earlier. A user with low-level permissions can inject malicious JavaScript code into form fields, which then executes when other users view the affected page. This is particularly risky because the malicious payload persists in the system rather than being temporary, and it affects the security boundary between different parts of the application (indicated by the scope change in the CVSS vector). The attack requires user interaction—victims must browse to the page containing the injected field—but the damage is real: attackers can steal session tokens, capture credentials, or perform unauthorized actions on behalf of victims.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47943 is a stored XSS vulnerability in Adobe Experience Manager caused by insufficient input validation and output encoding in form field handling. The vulnerability exists in versions 6.5.24, LTS SP1, 2026.04 and earlier. An attacker with low privilege credentials can inject malicious JavaScript into vulnerable form fields. Because the payload is stored server-side, it executes each time any user (including administrators) accesses the page containing the affected field. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C) indicates network-accessible attack surface, low complexity, low privilege requirement, required user interaction, and scope change—meaning the vulnerability impacts resources beyond the vulnerable component. This is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Business impact
Organizations running vulnerable AEM instances face compromise of administrator and user sessions, unauthorized modification of web content, defacement of digital properties, and potential theft of sensitive data stored or processed through AEM. Given AEM's role as a content management and digital experience platform, successful exploitation could undermine customer trust, cause reputational damage, and enable lateral movement if AEM shares authentication infrastructure with other corporate systems. The medium CVSS score reflects limited immediate confidentiality and integrity impact, but the persistent nature of stored XSS means ongoing risk until remediation.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected. All deployments running these versions with form field functionality accessible to lower-privileged users should be considered at risk. Verify your specific patch level against Adobe's official advisory to confirm exposure.
Exploitability
Exploitability is moderate. An attacker must possess valid credentials with at least low privilege level—this may be a content contributor, reviewer, or similar restricted role. They must identify and access a vulnerable form field, inject their payload, and wait for a higher-privileged user (ideally an administrator) to interact with the affected page. The reliance on user interaction (UI:R in CVSS) means attacks cannot trigger automatically, but social engineering or natural workflow can make this very likely in active environments. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog.
Remediation
Apply patches provided by Adobe for AEM. Upgrade to versions after 6.5.24, after LTS SP1, or after 2026.04 depending on your release track. Until patching is possible, implement compensating controls: restrict form field access to trusted users only, disable or remove unused form functionality, implement content security policy (CSP) headers to limit JavaScript execution context, and monitor AEM logs for suspicious form submissions or script injection patterns. Review user privileges and enforce least-privilege access principles.
Patch guidance
Consult Adobe's official security advisory for CVE-2026-47943 for exact patch versions and release dates. Patches are likely available across the three affected release tracks (6.5.x, LTS SP1, and 2026.x). Plan patching as part of your regular maintenance cycle, prioritizing production and development environments where form functionality is exposed. Test patches in a staging environment before production deployment to verify no regressions in AEM functionality or custom form integrations. Adobe typically publishes patches on their security bulletin website.
Detection guidance
Monitor AEM access logs for POST or PUT requests to form field endpoints with suspicious payloads containing script tags, event handlers (onerror, onclick), or URL-based JavaScript (javascript:, data:). Search application logs for unencoded or HTML-like content in form field values. Use web application firewalls (WAF) configured to block common XSS payloads in request bodies. Implement DOM-based monitoring in browsers accessing AEM to detect unexpected script execution. Review AEM configuration audits to identify form fields without proper output encoding. Correlate form submissions with subsequent page views to detect when injected scripts are rendered.
Why prioritize this
While the CVSS score is medium (5.4) and the vulnerability requires low privilege and user interaction, stored XSS in a content management platform is dangerous because persistence means the attack surface grows over time and impacts all users viewing affected pages. AEM's role in managing digital experiences and potential connection to identity systems elevates business risk. Organizations should prioritize patching within 30-60 days, sooner if low-privilege accounts are held by external contractors or if AEM is internet-facing.
Risk score, explained
The CVSS 3.1 score of 5.4 (Medium) reflects network accessibility (AV:N) and low attack complexity (AC:L), but is moderated by the requirement for valid low-privilege credentials (PR:L) and user interaction (UI:R). Confidentiality and integrity impact are both low (C:L, I:L), and there is no availability impact (A:N). The scope change (S:C) indicates the vulnerability affects resources outside the immediate vulnerable component, which increases concern. The score does not fully capture the persistent nature of stored XSS or its cascading potential if administrators are compromised, so organizations may justify higher internal risk ratings based on threat model and environment sensitivity.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires a valid AEM account with at least low-privilege permissions (e.g., contributor role). Unauthenticated users cannot access the vulnerable form fields.
Will a Web Application Firewall (WAF) alone stop this attack?
A WAF configured with XSS detection rules may block some payloads at the network boundary, but because the vulnerability is in how AEM stores and renders form data, internal requests from trusted IPs may bypass WAF rules. WAF is useful as a defense layer but not a substitute for patching or input validation fixes in AEM itself.
What happens if an attacker injects a script that steals administrator sessions?
If an administrator views a page containing the injected script, their session token or credentials could be exfiltrated. The attacker could then impersonate the administrator, modify content, change AEM configuration, or escalate privileges. This is why administrators should be treated as high-value targets in incident response.
Does this vulnerability affect offline or air-gapped AEM deployments?
Only if the attacker has physical or network access to inject malicious form data. Air-gapped environments reduce the attack surface significantly, but internal threats or supply-chain compromises could still introduce malicious payloads via import of content or configuration files.
This analysis is based on publicly available vulnerability data current as of June 2026. Specific patch versions, release dates, and vendor-specific mitigations must be verified against Adobe's official security advisory at adobe.com/security. Testing in a non-production environment is mandatory before applying patches. This analysis does not constitute legal, compliance, or professional security advice. Organizations should engage qualified security professionals to assess risk and remediation in their specific environments. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4
- CVE-2026-47945MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch & Detection Guide