MEDIUM 5.4

CVE-2026-47957: Adobe Experience Manager Stored XSS Vulnerability – CVSS 5.4 Medium

Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier contain a stored cross-site scripting (XSS) flaw in form field handling. An attacker with low-level system access can inject malicious JavaScript that persists in the application and executes whenever a user views the affected page, potentially allowing credential theft, session hijacking, or malware distribution. The vulnerability requires user interaction—a victim must navigate to the compromised form—but the attacker does not need elevated privileges to introduce the payload.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a Stored XSS vulnerability (CWE-79) affecting AEM's form processing mechanism. An authenticated but low-privileged user can inject arbitrary JavaScript into form fields; the payload is retained server-side and reflected to subsequent visitors without sanitization. The CVSS 3.1 score of 5.4 (Medium) reflects network-based attack vector, low attack complexity, and requirement for low privileges and user interaction. Notably, the scope is changed, meaning the malicious script executes in a security context beyond the vulnerable component itself—typically the user's browser session within the broader AEM application or portal. This elevates risk compared to reflected XSS confined to a single parameter.

Business impact

Organizations running affected AEM instances risk brand damage, regulatory compliance failures (GDPR, CCPA), and loss of customer trust if user credentials or personal data are harvested through injected scripts. Attackers could deface collaborative spaces, redirect users to phishing sites, or inject malware redirects. For digital marketing and content management teams relying on AEM, this could disrupt form submissions, analytics data integrity, and user engagement workflows until patching is complete.

Affected systems

The vulnerability affects Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04, and all earlier releases within these support lines. Organizations should audit their deployed AEM instances to determine which versions are in use. LTS (Long-Term Support) editions may be particularly common in enterprise environments and should be prioritized for inventory and patching.

Exploitability

Exploitability is moderate and practical. The attacker requires valid AEM user credentials (low privilege level), and the victim must visit a page containing the malicious form field. No special network conditions or system configurations are required. However, the need for both authentication and user interaction creates friction that may limit opportunistic mass exploitation. The flaw is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation is not yet widespread—but this does not guarantee it will remain unexploited as public awareness grows.

Remediation

Apply the security patch released by Adobe for affected versions. Verify the specific patched versions from Adobe's official security advisory. In the interim, implement input validation and output encoding for all form fields, apply Web Application Firewall (WAF) rules to block JavaScript payloads in form submissions, and restrict form access to authenticated users only. Consider disabling or removing unused form fields that may not be monitored for injection.

Patch guidance

Adobe has released security updates addressing this vulnerability; verify against the vendor advisory for precise patched versions available for each supported AEM line (6.5.x, LTS SP1, and 2026.x). Prioritize patching production AEM instances, followed by staging and development environments. Test patches in a non-production environment to ensure no disruption to form workflows or integrations before production rollout. Given the low privilege requirement, this should not be delayed waiting for a major AEM upgrade cycle.

Detection guidance

Monitor AEM request logs for unusual characters or script tags in form field submissions (e.g., <script>, javascript:, onerror=, onclick=). Inspect stored form data for unexpected HTML or JavaScript. Enable content security policy (CSP) headers on AEM to restrict inline script execution. Use browser-based security testing tools to scan form pages for reflected or stored XSS. Check user activity logs for accounts making form field modifications outside normal business processes. Log analysis should focus on users with lower privilege levels creating or modifying form content.

Why prioritize this

Although the CVSS score is Medium (5.4), the combination of stored persistence, cross-scope impact, low attack friction (only low privileges required), and broad AEM user base makes this a priority for patching. Stored XSS is inherently riskier than reflected variants because the payload affects all users who view the page, not just the attacker's next target. In enterprise AEM deployments supporting customer-facing forms or internal collaboration, compromise could propagate rapidly once injected.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects: (1) Network-based attack surface (AV:N), (2) Low attack complexity (AC:L)—no special conditions needed, (3) Low privilege requirement (PR:L), (4) Required user interaction (UI:R), and (5) Limited impact scope—confidentiality and integrity are impacted but not availability. However, the 'scope changed' notation (S:C) indicates the vulnerability reaches beyond the vulnerable component, which elevates the score. The score does not fully capture the persistence and cascading user impact of stored XSS, so risk should be contextualized within your threat model and asset criticality.

Frequently asked questions

Does this vulnerability allow remote code execution on the AEM server?

No. The vulnerability is limited to client-side JavaScript execution within a victim's browser. It does not grant the attacker direct access to the AEM backend, file system, or database. However, the injected script can steal session cookies or user credentials, potentially leading to account takeover and subsequent backend compromise.

Can this vulnerability be exploited by unauthenticated users?

No. The attacker must have valid AEM user credentials, even at a low privilege level (e.g., contributor or content author role). However, many organizations provision broad write access to forms, making this attack surface wider than it should be in practice.

What is the difference between this stored XSS and a reflected XSS?

Stored XSS persists in the application database and affects every user who views the compromised page, making it a persistent threat. Reflected XSS requires the victim to click a malicious link and only affects that single visit. This stored variant is generally more dangerous because the attacker does not need to trick a victim into clicking a link—compromise is automatic upon page view.

If we are on a version earlier than 6.5.24, do we need to patch?

Yes. The advisory states that versions earlier than 6.5.24 (as well as LTS SP1 and 2026.04 and earlier) are affected. You should verify the exact patched versions available for your AEM edition and upgrade as soon as testing permits.

This analysis is provided for informational purposes and is based on vendor advisories and CVE data current as of the publication date. Always consult Adobe's official security bulletins for authoritative patching guidance and affected product lists. SEC.co makes no warranty regarding the completeness or accuracy of remediation advice. Organizations must conduct their own risk assessment and testing before deploying patches in production environments. Patch availability and version numbers should be verified against Adobe's official security advisory before implementation. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).