CVE-2026-47950: Adobe Experience Manager Stored XSS in Form Fields
Adobe Experience Manager (AEM) contains a stored cross-site scripting (XSS) flaw that allows low-privileged users to embed malicious scripts into form fields. When other users view pages containing these compromised fields, the attacker's JavaScript runs in their browsers with the victim's permissions. The vulnerability affects multiple AEM versions including 6.5.24, LTS SP1, 2026.04 and earlier.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager's form handling mechanisms. An authenticated attacker with low privileges can inject arbitrary JavaScript into specific form fields that persist in the application's data store. The injected payload executes in victim browsers when they access the affected page, with scope change indicating the attack can impact other users beyond the immediate context. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, requirement for low privileges and user interaction, changed scope, and limited confidentiality and integrity impact.
Business impact
Organizations running affected AEM instances face risks of internal data theft, session hijacking, and malware distribution targeting employees who access compromised pages. The stored nature means the attack persists until remediated—every user viewing the affected form is potentially exposed. In content management contexts, compromised forms could damage user trust and compliance posture if customer data is exfiltrated through XSS payloads. Incident response and forensic costs may be substantial if the vulnerability is exploited in production environments.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are vulnerable. Organizations should inventory AEM deployments across these versions and prioritize patching for production instances that handle sensitive data or customer interactions.
Exploitability
The vulnerability requires authentication (low-privilege user account) and user interaction (a victim must browse the compromised form), reducing opportunistic exploit potential. However, in multi-user AEM environments where content creators or low-privileged editors exist, the barrier to entry is moderate. No public exploit code or active exploitation has been reported as of the published date. Given the low barrier to credential acquisition in many organizations, threat actors could leverage compromised or insider accounts to inject payloads with relative ease.
Remediation
Adobe has released patches addressing this vulnerability. Organizations should apply vendor-supplied updates to move beyond affected versions. Until patching is complete, restrict form field editing permissions to trusted users, disable public form submission where possible, and implement content security policy (CSP) headers to mitigate XSS impact. Monitor form field modifications and user access logs for suspicious activity.
Patch guidance
Consult Adobe's official security advisory for the specific patch version applicable to your AEM configuration (6.5.x LTS, 2026.x release line, or other variants). Test patches in a non-production environment before deployment to ensure compatibility with custom components and integrations. Apply patches in a phased approach, prioritizing externally accessible or data-sensitive AEM instances. Document patch application timestamps and affected version numbers for compliance records.
Detection guidance
Search AEM audit logs for unusual form field modifications, particularly by low-privileged users or service accounts. Inspect form field values for JavaScript patterns (script tags, event handlers, encoded payloads). Deploy Web Application Firewall (WAF) rules to detect XSS signatures in HTTP POST requests targeting form endpoints. Monitor Content Security Policy violation reports for injected script execution attempts. Review AEM version inventory regularly to identify unpatched instances.
Why prioritize this
Although rated MEDIUM severity, this vulnerability warrants prompt attention because: (1) it exploits a common attack vector (form injection) with broad user exposure in collaborative environments; (2) the stored nature means one injection affects multiple users; (3) scope change indicates cross-context impact; (4) AEM often manages sensitive marketing and customer data; (5) low privilege requirement increases insider threat surface. Organizations with public-facing AEM instances or high user counts should treat this with higher urgency.
Risk score, explained
The CVSS 5.4 MEDIUM score reflects the attack's limited severity impact (no availability loss, partial confidentiality/integrity compromise) but factors in the ease of exploitation over the network with low attack complexity and low privilege requirement. The 'user interaction required' element and lack of availability impact prevent a higher score. However, the changed scope and stored persistence nature elevate real-world risk beyond the base metric—apply organizational context (data sensitivity, user count, external exposure) when deciding patch timing.
Frequently asked questions
Does this vulnerability allow unauthenticated attacks?
No. The vulnerability requires valid AEM credentials with at least low-privilege user rights. Attackers cannot exploit this via anonymous access to the application.
Can content security policy (CSP) fully prevent this attack?
A strict CSP can significantly reduce XSS impact by preventing inline script execution and external script loading. However, CSP is a secondary control; patching the underlying form validation flaw is the primary remediation.
What form fields are affected?
Adobe's advisory specifies certain form field types; review the vendor security bulletin for the exact list. All custom forms should be assessed for similar injection points regardless of field type.
Does this affect AEM as a Cloud Service?
The advisory lists specific on-premises and traditional AEM versions. Verify Adobe's guidance on Cloud Service versions to confirm whether your deployment model is in scope.
This analysis is based on publicly available vulnerability data as of June 2026 and is provided for informational purposes. Organizations should independently verify affected versions, patch availability, and applicability to their specific AEM configurations against Adobe's official security advisories. Testing and deployment timelines should align with organizational change management policies. This content does not constitute professional security advice; engage qualified security professionals for incident response or remediation planning. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4