CVE-2026-47948: Adobe Experience Manager Stored XSS Vulnerability in Form Fields
Adobe Experience Manager versions up to 6.5.24, LTS SP1, and 2026.04 contain a stored cross-site scripting (XSS) flaw that allows attackers with low-level account access to inject malicious JavaScript into form fields. When other users view pages containing these compromised fields, the attacker's scripts execute in their browsers, potentially allowing credential theft, session hijacking, or other client-side attacks. The vulnerability requires user interaction (viewing the affected page) and a valid login, but can impact users across different security contexts.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager's form handling logic. An attacker with low privileges can inject unsanitized JavaScript into vulnerable form fields, which persists in the application's data store. When authenticated or unauthenticated users subsequently access pages containing these fields, the malicious script executes within their browser context with their privileges. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network-based attack, low complexity, requirement for low privileges and user interaction, and cross-scope impact affecting confidentiality and integrity without availability loss.
Business impact
Stored XSS in Experience Manager poses reputational and compliance risks, especially for organizations using AEM to manage customer-facing content or internal collaboration sites. Compromised form data could be weaponized to harvest credentials, distribute malware links, or conduct phishing campaigns against users who view affected pages. For enterprises managing regulated content (healthcare, finance, legal), data exfiltration through JavaScript execution may trigger breach notification and audit obligations. Customer trust is degraded if malicious content appears on branded digital properties.
Affected systems
Adobe Experience Manager 6.5.24, LTS SP1, 2026.04, and all earlier versions of these release streams are vulnerable. Organizations running supported versions should verify their exact patch level immediately. Versions released after 2026.04 are presumed patched; confirm against Adobe's security advisory for definitive version boundaries.
Exploitability
Exploitation requires a valid user account with sufficient privileges to submit or modify form data—a low bar in many AEM deployments where content editors, marketers, or site administrators have such access. An attacker does not need sophisticated tools; form injection is trivial. The barrier to weaponization is similarly low: malicious payloads can be crafted to steal cookies, redirect users, or execute reconnaissance. No exploit code or zero-day tooling is needed. However, exploitation does depend on victims visiting the compromised page, making broad impact less certain than remote unauthenticated vulnerabilities.
Remediation
Apply the security patch released by Adobe for your version branch (6.5.x, LTS SP1, or 2026.x). Patches should enforce strict input validation and output encoding on all form fields, preventing script injection. Until patching is complete, implement a Web Application Firewall (WAF) rule to detect and block JavaScript payloads in form submissions, though this is not a substitute for patching. Review audit logs for suspicious form submissions or modifications by low-privileged users in the weeks prior to patching.
Patch guidance
Consult Adobe's official security advisory for your specific version (6.5.24, LTS SP1, 2026.04, or earlier). Download and test patches in a non-production environment before rollout. AEM patches often require service pack updates; plan downtime accordingly. Prioritize patching if your instance hosts user-facing forms or collaborative content spaces. Verify patch application by confirming the new version number and running security scanner validation.
Detection guidance
Monitor AEM form submission logs for suspicious JavaScript patterns or HTML entities (e.g., <script>, javascript:, onerror=) in form field data. Set alerts on form modifications by accounts outside your content-authoring team, especially low-privileged accounts. Use browser developer tools or security scanners to inspect rendered form fields for unexpected JavaScript execution. Log ingestion into a SIEM can flag anomalous submission patterns. Periodically scan your AEM instance for stored XSS using commercial or open-source web vulnerability scanners.
Why prioritize this
Although CVSS 5.4 (Medium) is moderate, prioritize this vulnerability because stored XSS is a high-confidence attack vector that can affect multiple users from a single injection point. AEM typically manages sensitive business content and user interactions; compromise undermines data integrity and user trust. Low barrier to exploitation (existing login required, but common in organizations) and cross-scope impact elevate real-world risk beyond the base score. Patch within 30 days if AEM is customer-facing or handles regulated data; 60 days for internal-only deployments.
Risk score, explained
CVSS 5.4 reflects the combination of network accessibility, low attack complexity, and low privilege requirement balanced against the need for user interaction and limited impact scope (no availability loss, partial confidentiality/integrity). The 'cross-scope' component (S:C) elevates severity because injected scripts can affect users other than the attacker. This is not a critical vulnerability, but it is substantive and warrants prompt remediation given AEM's role in many organizations' digital infrastructure.
Frequently asked questions
Do we need a valid login to exploit this, or can anonymous users inject malicious scripts?
A valid login with low privileges (e.g., content editor, form contributor) is required to inject the payload. Unauthenticated users cannot directly exploit the vulnerability, but they are at risk if they view pages containing the malicious form field, where the script will execute in their browser.
How is this different from a reflected XSS?
Stored XSS persists in the database, so every visitor to an affected page is exposed automatically without needing a special link or parameter. This makes it more dangerous because victims have no reason to suspect the page is compromised, and a single attacker injection can compromise many users over time.
What should we do if we cannot patch immediately?
Implement input validation and output encoding at the WAF or application level to block JavaScript payloads. Limit form modification privileges to trusted administrators. Monitor logs for suspicious submissions. Schedule patching within 30 days for customer-facing systems, 60 days for internal systems. Do not rely solely on WAF rules as a permanent fix.
Are there workarounds or mitigations that eliminate the risk?
No complete workaround eliminates the vulnerability itself. Defense-in-depth measures (WAF, CSP headers, restrictive CORS policies) reduce attack surface and impact, but patching is the only guaranteed remediation. Content Security Policy can help prevent inline script execution, but does not stop the attacker from stealing data via form submissions or DOM manipulation.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. We do not provide exploit code or weaponized proof-of-concept details. Organizations must verify patch applicability and version numbers against Adobe's official security advisories and their own inventory. Testing patches in non-production environments before deployment is mandatory. SEC.co assumes no liability for reliance on this intelligence; consult with your security and legal teams for compliance and incident response planning. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4