CVE-2026-47954: Adobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
Adobe Experience Manager contains a stored cross-site scripting (XSS) flaw that allows attackers with basic user privileges to embed malicious code into form fields. When other users view pages containing these compromised fields, the injected scripts execute in their browsers, potentially allowing the attacker to steal credentials, session tokens, or perform actions on behalf of the victim. The vulnerability affects multiple versions of AEM up to and including 6.5.24, LTS SP1, and 2026.04.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47954 is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager that requires low-privileged user authentication but no special access controls to exploit. An attacker can inject malicious JavaScript into form field inputs that persist in the application's database. When authenticated or unauthenticated users subsequently access pages displaying these fields, the payload executes within their browser context with the privileges of the viewing user. The CVSS 3.1 score of 5.4 reflects medium severity: while impact is limited to confidentiality and integrity (no availability impact), the attack surface is network-accessible and requires only legitimate user interaction to trigger.
Business impact
Compromised AEM instances become vectors for credential theft, session hijacking, and unauthorized administrative actions. If attackers inject scripts that capture form submissions or redirect users to credential harvesting pages, customer trust erodes and compliance obligations (GDPR, HIPAA, PCI-DSS depending on data handled) may be breached. Incident response and user notification costs compound the operational disruption. For organizations using AEM as their primary digital asset management or content delivery platform, widespread injection could deface or corrupt published content.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04, and all earlier releases are vulnerable. Organizations should inventory all AEM deployments and their versions immediately. The vulnerability affects both on-premises and cloud-hosted AEM instances. Any environment where low-privileged users (e.g., content authors, marketers) can input data into form fields is at risk.
Exploitability
Exploitation requires valid user credentials—the attacker must be able to authenticate to AEM, even with minimal permissions. No special tools or deep technical knowledge are needed; the attacker simply submits malicious JavaScript through a form field and waits for other users to view the page. The low barrier to entry and guaranteed execution (upon page load by any viewer) make this vulnerability practical to exploit in multi-user environments. However, the requirement for prior authentication and user interaction to view the injected content slightly reduces the attack surface compared to unauthenticated XSS.
Remediation
Apply Adobe's security patch for CVE-2026-47954 as soon as it becomes available. Verify the specific patched versions against Adobe's official security bulletin. Interim mitigations include: restricting form field input to trusted users only, implementing strict Content Security Policy (CSP) headers to limit script execution, validating and sanitizing all user inputs on both client and server side, and disabling form submissions from untrusted sources. Consider temporarily disabling affected form functionality until patches are deployed if high-risk data is handled.
Patch guidance
Monitor Adobe's security advisories and PSIRT announcements for the release date and version numbers of patched builds. Adobe typically provides fixes for multiple version branches; ensure your patching plan covers all in-use versions (6.5.x, LTS SP1, 2026.x series). Test patches in a non-production environment before rollout. Given the authentication requirement, consider prioritizing updates for internet-facing AEM instances and those handling sensitive data.
Detection guidance
Look for form submissions containing suspicious script tags (<script>, onerror=, onload=, etc.) in AEM audit logs and request payloads. Monitor for JavaScript execution errors or unexpected DOM modifications on pages using vulnerable form fields. Deploy web application firewalls (WAF) with XSS detection rules to block payloads containing event handlers and script tags before they reach AEM. Enable AEM's query and request logging at DEBUG level to capture encoded and obfuscated payloads. Correlate successful injections with user accounts to identify compromised credentials.
Why prioritize this
Although the CVSS score is medium (5.4), prioritize this vulnerability for organizations where AEM hosts customer-facing applications or handles sensitive user data. The stored nature of the XSS means the attack persists and affects all subsequent viewers—not just the initial victim. The low barrier to exploitation (any authenticated user can inject) and the cross-site scope (affecting session and cookie contexts) elevate practical risk beyond the base score. Patch within 30 days; expedite if AEM is internet-exposed or used by large user populations.
Risk score, explained
CVSS 3.1 score 5.4 (MEDIUM) reflects: network accessibility (AV:N), low complexity attack (AC:L), requirement for low privileges (PR:L), user interaction needed for execution (UI:R), and changed scope (S:C) with limited confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N). The changed scope designation accounts for the attacker's ability to affect other users' sessions and privileges, elevating the severity from a simple single-user impact. However, the authentication requirement prevents this from being rated CRITICAL or HIGH.
Frequently asked questions
Who can exploit this vulnerability?
Any user with valid AEM credentials—including content authors, marketers, or other low-privileged roles—can inject malicious scripts. The attacker does not need administrative privileges. Organizations should assume that compromised or malicious insiders can exploit this flaw.
What happens if I don't patch?
Attackers can persistently inject malicious scripts into your forms, stealing credentials, session cookies, and personal data from all users who view those pages. The attack is passive from the viewer's perspective—they see normal form fields but their browsers execute hidden malicious code.
Can a WAF or CSP fully protect me until I patch?
A robust Content Security Policy and WAF with strict XSS rules can mitigate the risk significantly but are not foolproof substitutes for patching. Determined attackers may bypass filters using encoding or novel payload techniques. Interim controls should buy time for testing and deployment, not replace patching.
Does this affect AEM Cloud Service?
Adobe has separate release schedules and patch cycles for Cloud Service versus on-premises AEM. Consult Adobe's advisory to confirm whether your specific AEM delivery model (on-premises, managed services, or Cloud Service) is affected and the timeline for fixes.
This analysis is based on the CVE record published as of 2026-06-17. Patch availability, version numbers, and official remediation steps must be verified directly against Adobe's security bulletin and PSIRT advisories. Organizations should conduct their own risk assessment based on their specific AEM configurations, user base, and data sensitivity. This content is for informational purposes only and does not constitute professional security advice. Always test patches in isolated environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4