CVE-2026-47944: Adobe Experience Manager Stored XSS Vulnerability – CVSS 5.4
Adobe Experience Manager contains a stored cross-site scripting (XSS) vulnerability that allows low-privileged users to inject malicious JavaScript code into form fields. When other users view pages containing these compromised fields, the attacker's scripts execute in their browsers. This is a persistence issue—the malicious payload remains in the system until removed, affecting anyone who accesses the affected content.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47944 is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager affecting versions 6.5.24, LTS SP1, 2026.04, and earlier. The vulnerability exists in form field handling where insufficient input sanitization allows authenticated but low-privileged attackers to embed malicious scripts. The stored nature means payloads persist server-side. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, score 5.4) reflects network accessibility, low attack complexity, requirement for low privilege and user interaction, and scope change—the latter indicating the impact extends beyond the vulnerable component to affect other users.
Business impact
Organizations using vulnerable AEM instances face credential theft, session hijacking, and malware distribution risks. Attackers can target high-value users (admins, executives) through persistent malicious content. Compliance implications arise if customer data is exfiltrated through XSS payloads. Remediation delays compound risk as the vulnerability persists across sessions and affects multiple users viewing the same content.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04, and all earlier versions are vulnerable. Organizations should verify their exact AEM version and service pack level. The vulnerability affects both on-premises and cloud deployments of these versions.
Exploitability
Exploitation requires low-level authentication and relies on a user visiting a page containing the injected payload. No complex exploitation techniques are necessary; standard XSS payloads are effective. The low attack complexity and network accessibility mean opportunistic attackers can readily craft exploits. However, the requirement for user interaction (UI:R) means automated worm-like propagation is constrained. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Upgrade Adobe Experience Manager to a patched version released by Adobe addressing this issue. Organizations must verify the specific patch version from Adobe's security advisory. Until patching is feasible, restrict form field access to trusted internal users only, disable public form submission where possible, and implement Web Application Firewall rules to detect XSS patterns in form inputs.
Patch guidance
Consult Adobe's official security bulletin for CVE-2026-47944 to identify the exact patched version for your AEM release line (6.5, LTS, or 2026 track). Test patches in a non-production environment before deployment. Prioritize production systems accessible to external users or handling sensitive data. Adobe typically releases patches through their standard update channels; verify against the vendor advisory for your specific configuration.
Detection guidance
Search application logs and request patterns for unusual JavaScript payloads in form field submissions and stored content. Monitor for XSS signatures in request bodies targeting form parameters. Review web server logs for atypical script tags or encoded payloads in POST requests. Implement DOM-based XSS detection in browser console logs if user complaints suggest malicious behavior. Query the AEM repository for suspicious script content in affected form components. Security scanning tools with XSS detection can identify persisted payloads if executed against the application.
Why prioritize this
Though CVSS 5.4 (MEDIUM) suggests moderate urgency, stored XSS affecting multi-user environments warrants swift remediation. The scope change and persistence mean a single injection compromises many users. Low barrier to exploitation (low-privileged user, standard attack) and lack of complex prerequisites amplify real-world risk. Organizations with externally-facing AEM forms should prioritize patching ahead of internal-only deployments.
Risk score, explained
The CVSS 5.4 score reflects that while impact is limited to confidentiality and integrity (no availability loss) and requires user interaction, the vulnerability is easy to exploit (low AC, no special privileges beyond basic auth), network-accessible, and crosses privilege boundaries (scope changed). The persistence and multi-user impact justify treating this as higher risk than the base score alone suggests in practical security planning.
Frequently asked questions
What form fields are vulnerable?
Adobe's advisory will specify which form field types are affected. Generally, custom and standard form components that accept user input and display it to other users without proper sanitization are at risk. Check the vendor bulletin for specific component guidance.
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires at least low-level user authentication. Attackers must have valid AEM credentials. However, many organizations grant broad read/submit permissions to internal or partner users, so the 'low privilege' bar may be low in practice.
Does patching require downtime?
Downtime depends on your AEM deployment architecture and patch strategy. Blue-green deployments or clustered setups may allow zero-downtime patching. Verify with Adobe's guidance and test in your environment before applying to production.
How does this differ from reflected XSS?
Stored XSS persists in the database, so the malicious script executes every time any user views the affected page—making it more dangerous than reflected XSS, which requires the victim to click a malicious link. Remediation for stored XSS often requires both code patching and data cleanup.
This analysis is based on the CVE record and publicly available information as of the publication date. Organizations must verify affected versions, patch availability, and compatibility in their environment by consulting Adobe's official security advisories. SEC.co provides this information for informational purposes; organizations are responsible for their own risk assessment and remediation decisions. No guarantee is made regarding patch effectiveness or completeness of this analysis. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47945MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch & Detection Guide