CVE-2026-47958: Adobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier contain a stored cross-site scripting (XSS) flaw in form field handling. A low-privileged user can inject malicious JavaScript that persists in the application and executes when other users view the affected page. Because the vulnerability has a changed scope—meaning the impact crosses trust boundaries—it affects not just the immediate application but potentially other parts of the system or connected domains.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a stored XSS vulnerability (CWE-79) residing in AEM form field processing. The attack vector is network-based with low attack complexity; the attacker requires low privileges and the victim must interact with the page (click, view, or navigate to it). The injected payload remains in the application's backend, allowing repeated exploitation without re-injection. The vulnerability changes the security scope, elevating risk beyond traditional self-XSS limitations. CVSS 3.1 score is 5.4 (MEDIUM), reflecting low confidentiality and integrity impact with no availability impact.
Business impact
Organizations relying on AEM for content management, marketing automation, or customer-facing portals face credential theft, session hijacking, and reputational damage if attackers inject malware or phishing content into pages viewed by internal staff or customers. The low-privilege requirement lowers the barrier to exploitation; any authenticated user with form-posting rights becomes a potential vector. Incident response and customer notification costs could be significant if widespread injection occurs before detection.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier are in scope. Organizations running these versions with public-facing or multi-user authenticated forms are at highest risk. The vulnerability does not require special configuration; any form field accepting and displaying user input without proper encoding is a potential attack surface.
Exploitability
Exploitability is moderate. The attacker needs valid credentials (low privilege level) and must craft JavaScript payloads that bypass any client-side or basic server-side validation. The user interaction requirement (UI:R) means the victim must navigate to or view the contaminated page, which in a multi-user AEM environment is likely if the attacker injects into frequently visited content. No public exploit code or active exploitation has been reported at publication, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Apply the latest Adobe Experience Manager security patches immediately. Adobe has released updates for affected versions; verify patch availability in the official Adobe security advisory. As interim controls, restrict form field input to non-privileged users, implement strict Content Security Policy (CSP) headers, and enable output encoding on all form-displayed content. Code review of custom form handlers is recommended to ensure proper input validation and output escaping.
Patch guidance
Consult Adobe's official security advisory for patched version numbers specific to your deployment (6.5.x, LTS SP1, or 2026.x track). Apply patches in a test environment first, particularly if you have custom form components or integrations. Prioritize systems where low-privileged users (authors, contributors) can submit form data that reaches high-traffic pages. Verify patch application by confirming the absence of vulnerable form field rendering in your instance.
Detection guidance
Monitor AEM access logs and form submission events for suspicious JavaScript patterns (script tags, event handlers, encoded payloads) in form field values. Review stored form data and comments/metadata fields for unusual content. Deploy Web Application Firewalls (WAF) to detect and block XSS payloads in transit. Enable AEM's built-in audit logging and correlate form submissions with subsequent page rendering to identify injection timing. Look for unusual activity by low-privilege accounts submitting large or encoded form values to high-visibility pages.
Why prioritize this
Although CVSS 5.4 is MEDIUM severity, the combination of low attack complexity, low privilege requirement, and changed scope makes this a near-term priority. The stored nature means a single injection can compromise many victims. Organizations with high-visibility customer-facing or employee-facing AEM instances should patch within 30 days. If AEM is not internet-facing or form inputs are heavily restricted, relative priority can be lower.
Risk score, explained
CVSS 3.1 score of 5.4 reflects: network attack vector (AV:N) and low complexity (AC:L) lower the barrier to exploitation; low-privilege requirement (PR:L) is significant but not negligible in multi-user environments; user interaction (UI:R) prevents automatic exploitation; changed scope (S:C) elevates concern; low confidentiality and integrity impact (C:L/I:L) account for session hijacking and credential theft potential; no availability impact (A:N). The score is MEDIUM, not HIGH, because the vulnerability requires user interaction and doesn't yield remote code execution.
Frequently asked questions
Do we need to patch immediately if our AEM is behind a firewall and only accessible to internal employees?
Yes, but with adjusted urgency. Internal-only deployments still face risk from disgruntled insiders or compromised internal accounts. If your user base is large and form fields are shared across teams, stored XSS can still cause significant damage. Plan patching within 60 days; prioritize if your AEM instance stores sensitive internal data or credentials.
Will a Web Application Firewall (WAF) fully protect us while we wait for patches?
A WAF can block many XSS payloads in real-time, but it is not a complete substitute for patching. Sophisticated attackers may bypass WAF rules with encoding or context-specific payloads. WAF is a temporary mitigating control only; plan permanent remediation via patching.
What form fields are most at risk?
Any field that accepts user input and is later displayed to other users without encoding is at risk: comments, notes, custom metadata, rich text editors, and tag fields are common targets. Review your custom form components and ensure all output is HTML-encoded or sanitized before rendering.
How do we know if we've been exploited?
Examine stored form submissions and page HTML source for unusual script tags, event handlers (onclick, onload, etc.), or encoded JavaScript. Check AEM audit logs for form submissions by low-privilege accounts coinciding with unusual page load spikes. If you detect injection, isolate affected content, notify stakeholders, and preserve logs for forensic analysis.
This analysis is provided for informational purposes by SEC.co and reflects publicly available information as of the publication date. Patch version numbers and specific remediation steps must be verified against Adobe's official security advisories and your organization's deployment documentation. No exploit code or weaponized proof-of-concept details are provided. Organizations should conduct their own risk assessment based on their specific AEM configurations, user privileges, and network architecture. Consult with Adobe support and internal security teams before applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4