CVE-2026-47956: Adobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
Adobe Experience Manager versions through 6.5.24, LTS SP1, and 2026.04 contain a stored cross-site scripting (XSS) flaw in form field handling. An attacker with basic user privileges can inject malicious JavaScript into vulnerable fields. When legitimate users view pages containing these fields, the injected scripts execute in their browsers. This is particularly concerning because the vulnerability changes scope—meaning an attacker could potentially affect other users or system functionality beyond the immediate form context.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47956 is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager affecting versions 6.5.24, LTS SP1, and 2026.04 or earlier. The vulnerability exists in form field processing logic where input validation is insufficient, allowing low-privileged users to persist malicious JavaScript payloads. When authenticated users subsequently access pages containing these compromised fields, the browser executes the stored payload without proper sanitization or context-aware encoding. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network accessibility, low complexity, low privilege requirement, and scope change—indicating the attack can impact resources beyond the original vulnerable component.
Business impact
Stored XSS vulnerabilities in AEM pose reputational and operational risks. Attackers can deface web pages, redirect users to malicious sites, steal session cookies or sensitive form data, or perform unauthorized actions on behalf of compromised users. Because AEM is commonly used for content management and digital experiences, successful exploitation could affect customer-facing portals, marketing sites, or internal collaboration platforms. The scope-change aspect elevates concern: attackers might manipulate shared resources or exploit trust relationships between AEM components and integrated systems. Organizations relying on AEM for critical customer touchpoints face potential service disruption and compliance exposure.
Affected systems
The vulnerability affects Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and all earlier versions in these release lines. Organizations running any instance of AEM prior to confirmed patched versions should assess their deployment. This includes on-premises installations, cloud-hosted instances, and hybrid deployments. The presence of low-privilege user accounts with form field modification capabilities increases risk surface.
Exploitability
Exploitation requires valid user credentials (low privilege sufficient) and is not listed on CISA's Known Exploited Vulnerabilities catalog as of the vulnerability's public disclosure. However, the attack is straightforward to execute: an authenticated attacker crafts malicious JavaScript, injects it into a vulnerable form field, and waits for other users to access the contaminated page. No special tools or zero-day techniques needed. User interaction (victim browsing the affected page) is required, making social engineering or natural browsing a realistic attack vector. The network-accessible nature and low complexity increase practical exploitability over time if left unpatched.
Remediation
Upgrade Adobe Experience Manager to patched versions released by Adobe addressing CVE-2026-47956. Verify against the official Adobe security advisory for exact patched versions and release dates. Interim controls include: restricting form field modification permissions to trusted administrators, implementing Web Application Firewalls (WAF) rules to detect and block XSS payloads in form submissions, enabling output encoding on affected form fields, and conducting user awareness training on not clicking suspicious links within AEM-rendered pages.
Patch guidance
Consult Adobe's security bulletin for CVE-2026-47956 to identify the minimum patched versions for your release line (6.5.x, LTS SP1, 2026.x). Adobe typically provides patches through their regular security update cycles; prioritize testing patches in a staging environment before production deployment to ensure compatibility with custom extensions and integrations. Plan patching windows with consideration for AEM's role in your content delivery pipeline. Organizations on extended support or custom maintenance agreements should verify patch availability with their Adobe account team.
Detection guidance
Monitor AEM form submission logs and audit trails for unusual script-like payloads or HTML/JavaScript keywords in form field values. Implement Content Security Policy (CSP) headers to limit script execution contexts and detect policy violations. Use browser developer tools or security scanners to identify unescaped user input in rendered pages. Track form field modifications by low-privilege users and flag high-volume or unusual patterns. Review stored form data repositories for suspicious patterns. Deploy SIEM rules to correlate form submissions with subsequent page views by multiple users, which may indicate successful XSS injection.
Why prioritize this
This vulnerability merits medium-to-high priority remediation despite the MEDIUM CVSS score due to: (1) stored persistence—the threat does not require ongoing attacker presence; (2) scope change—potential cross-component or cross-user impact; (3) low barrier to exploitation—any authenticated user can inject; (4) common AEM deployment in customer-facing environments where data theft or malware distribution poses high business risk; (5) lack of current public exploit does not guarantee future safety. Organizations should prioritize patching instances handling sensitive user data or public-facing content.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects the intersection of moderate impact (confidentiality and integrity loss to other users/components) and significant attack feasibility (network-based, low complexity, requiring only basic authentication and user interaction). The score is driven down from HIGH by the requirement for user interaction and low privilege scope. However, the scope-change modifier elevates concern beyond a typical reflected XSS—this should weigh into organizational risk assessment independent of the numeric score. Business context (whether AEM handles PII, payment data, or high-visibility content) should inform internal risk elevation.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. CVE-2026-47956 requires a valid, low-privileged user account to inject malicious scripts into form fields. However, once injected, any user browsing the affected page—including unauthenticated visitors in some AEM configurations—may be impacted.
Is there a public exploit available for this vulnerability?
As of the vulnerability's disclosure date (June 9, 2026), CVE-2026-47956 is not listed on CISA's Known Exploited Vulnerabilities catalog. This does not guarantee an exploit will not emerge; prompt patching remains essential.
How does the 'scope change' aspect affect our risk?
Scope change (CVSS S:C) means the vulnerability can impact resources or services beyond the vulnerable component itself. In this case, injected scripts could potentially affect other users' sessions, trigger actions in integrated systems, or compromise shared data—not just the form field where the attack was inserted.
What is the difference between stored and reflected XSS, and why does it matter here?
Reflected XSS requires an attacker to trick users into clicking a crafted link; the payload is not saved. Stored XSS persists in the database; the attacker injects once, and every user who views the page is at risk indefinitely until remediated. Stored XSS is generally considered more severe and harder to mitigate without patching.
This analysis is provided for informational purposes and is current as of the vulnerability publication date (June 9, 2026). Patch version numbers, KEV status, and vendor-specific technical details should be verified against official Adobe security advisories and your organizational testing protocols. SEC.co does not provide guarantee of exploit code availability, exploit difficulty, or real-world attack prevalence. Organizations should conduct internal risk assessments specific to their AEM configurations, data sensitivity, and threat landscape. This summary is not a substitute for detailed vendor guidance or professional security consultation. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4