MEDIUM 5.4

CVE-2026-47972: Adobe Experience Manager Stored XSS Vulnerability in Form Fields

Adobe Experience Manager (AEM) contains a stored Cross-Site Scripting flaw that allows low-privileged users to inject malicious JavaScript into form fields. When other users view pages containing these compromised fields, the attacker's script executes in their browsers, potentially compromising sessions, stealing credentials, or performing actions on their behalf. The vulnerability affects multiple AEM versions through 2026.04.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a stored XSS vulnerability (CWE-79) in Adobe Experience Manager where insufficient input sanitization in form field handling allows authenticated users with low privileges to persist malicious JavaScript payloads. The injected scripts execute with the same privileges as the victim viewing the page, and the scope change indicates the vulnerability can affect resources beyond the vulnerable component itself. The attack requires user interaction (viewing the compromised page) but no special network positioning or complex exploitation techniques.

Business impact

Organizations running vulnerable AEM instances face risk of session hijacking, credential theft, and unauthorized actions performed on behalf of legitimate users. Content editors or other low-privileged users could compromise the integrity of published pages without detection. In multi-tenant or partner environments, this could facilitate lateral movement or supply chain attacks. Remediation requires coordinated patching across AEM deployments, potentially affecting content management workflows during updates.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected. Organizations should inventory their AEM deployments across all instances and service packs to determine exposure scope. The broad version range suggests this may affect both legacy and recently deployed environments.

Exploitability

Exploitation requires valid authentication (PR:L in the CVSS vector), so external attackers cannot directly exploit this flaw. However, the low barrier to entry—any low-privileged user such as a content contributor, editor, or partner account—makes this readily exploitable by insider threats or compromised accounts. Once malicious content is injected, it persists and affects all subsequent viewers without additional attacker interaction, maximizing blast radius.

Remediation

Apply Adobe's security patches for affected AEM versions immediately. Verify patched versions against Adobe's official security advisory. Until patches are applied, implement input validation and output encoding policies at the application level, restrict form field modification permissions to trusted roles only, and consider deploying Web Application Firewalls configured to detect and block suspicious JavaScript patterns in form submissions.

Patch guidance

Consult Adobe's official security advisory for your specific AEM version (6.5.24, LTS SP1, or 2026.04) to identify the correct patch version and installation method. Test patches in a non-production environment first to ensure compatibility with custom extensions or integrations. Coordinate patching across all AEM instances to prevent inconsistent security postures. Verify successful patching by confirming the vulnerability is no longer present in your environment.

Detection guidance

Monitor AEM audit logs for unusual form field modifications, particularly by low-privileged accounts or service accounts. Search HTTP request payloads for JavaScript keywords and common XSS patterns (script tags, event handlers, dangerous protocols) in form field submissions. Review published pages and components for unexpected script tags or suspicious content. Implement Content Security Policy (CSP) headers to restrict script execution and log violations. Test form fields for stored XSS using both automated scanners and manual injection of benign JavaScript markers.

Why prioritize this

Although rated MEDIUM severity, the combination of low authentication barriers, stored persistence, and potential for broad victim exposure across content consumers warrants priority patching. The scope change enlarges the attack surface beyond the vulnerable form field component itself. Organizations should prioritize this based on AEM deployment criticality and the privilege levels of content management accounts.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) reflects the requirement for authenticated access (PR:L) and user interaction (UI:R), which limits direct exploitability. However, the stored nature of the XSS and the scope change increase practical risk. The low CVSS is not an indicator that patching can be deferred—stored XSS in content management systems poses significant organizational risk due to persistence and reach.

Frequently asked questions

Can external attackers exploit this without a login?

No. The vulnerability requires valid authentication to inject malicious content into form fields. External attackers must first compromise a valid AEM account or exploit a separate authentication flaw. However, once injected, the malicious content is stored and affects all viewers, regardless of their privilege level.

What versions of AEM are affected?

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected. Consult Adobe's security advisory for the exact list of affected service packs and to confirm whether your specific version is included.

How does stored XSS differ from reflected XSS in terms of risk?

Stored XSS persists in the application database or storage, affecting every user who views the compromised content without additional attacker effort. Reflected XSS requires the attacker to trick victims into clicking a malicious link. Stored XSS in AEM form fields is particularly dangerous because content is served to thousands of users automatically.

If we restrict form field editing permissions, does that fully mitigate the risk?

Restricting permissions to trusted roles significantly reduces risk by limiting who can inject malicious content, but it does not fully mitigate the vulnerability itself. Patching remains essential, as compromised low-privileged accounts or insider threats could still exploit the flaw. Permissions restrictions should complement, not replace, patching.

This analysis is based on publicly available vulnerability data and Adobe's disclosures as of the modification date. CVSS scores and affected version lists reflect authoritative vendor information and should be verified against Adobe's official security advisory for your deployment. Patch availability, timelines, and version numbers must be confirmed directly with Adobe. This document does not constitute professional security advice; consult your security team and vendor guidance before making patching decisions. Exploit code, proof-of-concept instructions, and weaponized attack details are not provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).