CVE-2026-47945: Adobe Experience Manager Stored XSS Vulnerability – Patch & Detection Guide
Adobe Experience Manager contains a stored cross-site scripting (XSS) flaw that allows attackers with low-level account access to inject malicious JavaScript into form fields. When legitimate users view pages containing these compromised fields, the malicious script executes in their browsers, potentially compromising their sessions, stealing credentials, or performing unauthorized actions on their behalf. The vulnerability affects multiple versions of AEM through version 2026.04 and earlier LTS releases.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47945 is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager affecting versions 6.5.24, LTS SP1, 2026.04 and earlier. The flaw exists in form field handling where inadequate input sanitization permits authenticated attackers to persist malicious JavaScript payloads. Upon victim access to the contaminated form, the injected script executes within their security context. The CVSS 3.1 vector (5.4 MEDIUM) reflects low complexity exploitation, low privilege requirement, and changed scope—indicating potential impact beyond the vulnerable component itself.
Business impact
Compromised AEM instances can become vectors for credential theft, unauthorized content manipulation, and lateral movement within connected systems. Marketing and content teams may inadvertently spread malicious payloads to customers or partners accessing published content. Remediation delays increase exposure window; organizations relying on AEM for customer-facing digital experiences face reputational and operational risk if malicious scripts execute during active campaigns.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 or earlier are vulnerable. Organizations running any of these versions should enumerate affected instances, prioritizing those with internet-facing authoring or publishing environments and high user traffic.
Exploitability
The vulnerability requires valid user credentials, limiting the attack surface to insider threats or attackers with compromised low-privilege accounts. However, the low attack complexity and requirement for only user interaction (victim browsing the page) make it readily exploitable once access is obtained. No CISA KEV listing indicates this is not yet observed in active exploitation campaigns, but the accessible attack vector warrants prompt attention.
Remediation
Adobe has released patches for affected versions. Organizations should immediately apply updates to versions after 2026.04 and verify patching completeness across all AEM deployments. Additionally, enforce strict content validation policies, implement Web Application Firewall (WAF) rules to detect XSS patterns in form submissions, and conduct user awareness training on recognizing suspicious form behavior.
Patch guidance
Consult Adobe's official security bulletin for CVE-2026-47945 to identify patched versions specific to your deployment (6.5.x, LTS SP1, or 2026.x track). Verify patch versions against the vendor advisory before deployment. Test patches in a non-production environment to ensure compatibility with custom extensions or configurations. Prioritize authoring instances and publicly accessible forms first. Given the low-privilege requirement, ensure the patching applies even to non-administrative user interfaces.
Detection guidance
Search AEM activity logs for unusual form field modifications, especially those containing script tags, encoded JavaScript, or suspicious event handlers. Monitor for unexpected changes to component or template definitions. Implement WAF signatures to block form submissions containing common XSS payloads. Audit recent form submissions to identify injected content and affected content fragments. Use browser developer tools when reviewing published pages to spot unexpected script execution.
Why prioritize this
Although CVSS scores a MEDIUM 5.4, the combination of persistent storage, changed scope, and accessibility to low-privileged users elevates practical risk. Unlike reflected XSS, stored payloads affect all users viewing the page indefinitely until remediated. Organizations with high-traffic customer-facing AEM deployments should treat this as high-priority to prevent brand damage and customer exposure.
Risk score, explained
The CVSS 5.4 MEDIUM rating reflects the attack's requirement for valid credentials (Low PR) and user interaction (UI requirement), balanced against network accessibility and changed scope. The score does not fully capture the persistent nature of stored XSS or reputational impact; internal risk prioritization should consider your organization's user base size, public-facing reliance on AEM, and regulatory obligations around customer data protection.
Frequently asked questions
Can this vulnerability be exploited remotely without credentials?
No. CVE-2026-47945 requires valid user authentication to inject payloads into form fields. However, once injected and stored, any user browsing the affected page—including unauthenticated visitors to published content—may be compromised.
Are all Adobe Experience Manager versions affected?
No. Only versions 6.5.24, LTS SP1, 2026.04 and earlier are listed as vulnerable. Verify your exact version number and check Adobe's advisory for patched versions specific to your release track.
What should we do if we discover injected malicious scripts in our forms?
Immediately: isolate the affected form, purge compromised content versions from history if possible, and audit form submission logs for attacker activity. Review published pages for signs of injection, notify affected users, and apply the security patch as soon as possible. Consider engaging incident response if data theft is suspected.
Do we need to patch if our AEM instance is only used internally?
Internal-only deployment reduces immediate customer risk but does not eliminate insider threat or lateral movement risk. Patch as part of your standard update cycle, prioritizing externally facing instances first.
This analysis is based on published vulnerability data and vendor information current as of June 2026. Specific patch versions, product lifecycles, and remediation timelines must be verified directly against Adobe's official security bulletins and your organization's affected asset inventory. SEC.co provides this intelligence for informational purposes; organizations should conduct independent risk assessment and engage vendor support for compliance with their specific contractual and regulatory obligations. Patch testing and deployment should follow your organization's change management procedures. This document does not constitute legal, compliance, or vendor-specific configuration advice. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4