CVE-2026-47974: Adobe Experience Manager Stored XSS Vulnerability
Adobe Experience Manager has a stored cross-site scripting (XSS) vulnerability that allows attackers with low-level user access to inject malicious JavaScript into form fields. When other users view those compromised pages, the malicious code runs in their browsers. This is a scope-change vulnerability, meaning an attacker can potentially affect users beyond their normal permission level. The vulnerability affects multiple recent versions of AEM.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47974 is a stored XSS flaw (CWE-79) in Adobe Experience Manager that enables low-privileged attackers to persist malicious JavaScript payloads in vulnerable form fields. The attack requires user interaction—a victim must browse to the page containing the injected payload—at which point the JavaScript executes in the victim's security context. The scope change (S:C in the CVSS vector) indicates the vulnerability can impact confidentiality and integrity beyond the attacker's normal authorization boundary. Affected versions include 6.5.24, LTS SP1, 2026.04, and earlier releases.
Business impact
Organizations using vulnerable AEM versions face session hijacking, credential theft, malware distribution, and defacement risks. Because the vulnerability requires only low-privilege access, internal threats or compromised contractor accounts become meaningful attack vectors. Customer-facing content delivery through AEM could be weaponized to target visitors. Regulatory exposure exists if user data is exfiltrated through XSS payloads. Recovery requires identifying all injected form fields, notifying affected users, and potentially resetting sessions and credentials.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are vulnerable. Organizations should audit their deployed AEM versions immediately. Any instance allowing user-generated content or form submissions is at risk. On-premises and cloud-hosted deployments are both affected.
Exploitability
Exploitation is straightforward and requires only low-privilege user credentials to access form fields. No special network position or advanced technique is needed. The barrier to exploitation is the user interaction requirement—an attacker must trick or wait for a victim to view the compromised page. Once a payload is stored, it poses persistent risk to all subsequent visitors. This makes it an attractive vector for internal attackers or those targeting high-traffic pages.
Remediation
Patch affected AEM instances to versions released after 2026.04 as provided by Adobe. For environments where immediate patching is constrained, implement input validation and output encoding rules at the form field level, disable JavaScript execution in user-controlled content, and restrict form field editing to trusted administrators only. Monitor access logs for suspicious form field modifications.
Patch guidance
Obtain the latest security patch from Adobe for your specific AEM version (6.5.x, LTS SP1, or 2026.x track). Adobe typically provides patches within their regular update cycle; verify availability on the Adobe Security Advisory page. After patching, test forms in a staging environment to confirm functionality is preserved. Coordinate deployments to minimize service interruption.
Detection guidance
Search AEM form field content for script tags, event handlers (onclick, onerror, onload), and encoded payloads (e.g., %3cscript%3e patterns). Review audit logs for form field modifications by low-privilege accounts. Monitor for unusual JavaScript execution in user sessions following form page navigation. Use web application firewalls to log and block XSS patterns in form submissions. Consider Content Security Policy headers to restrict inline script execution.
Why prioritize this
Although the CVSS score is moderate (5.4), the combination of low attack complexity, persistent storage, scope change, and low barrier to entry justifies swift remediation. Internal threat scenarios and supply-chain risk (compromised partners injecting malicious content) elevate practical risk above the numerical score. Organizations with public-facing AEM deployments should prioritize this higher.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects the requirement for low-privilege access and user interaction, which limit immediate impact. However, the scope change (S:C) and potential for broad confidentiality and integrity compromise warrant closer examination. The score does not account for reputational damage or regulatory consequences of content defacement or customer data theft via XSS.
Frequently asked questions
Can this vulnerability be exploited without user credentials?
No. The attacker must possess low-privilege AEM user access to inject the malicious script into form fields. However, 'low-privilege' means nearly any internal user, contractor, or compromised account qualifies—a relatively low bar in many organizations.
If we disable form submissions, are we safe?
If form fields are not used or are completely disabled, the attack surface is eliminated. However, disabling a core AEM feature is usually impractical. Instead, restrict write access to form fields, validate inputs server-side, and encode outputs to prevent script execution.
How do we know if we've been exploited?
Review AEM audit logs for unexpected form field edits, particularly by low-privilege accounts or during off-hours. Scan published pages for suspicious script tags or event handlers in form markup. Browser console logs on visitor machines may also reveal injected scripts.
Does this affect AEM Cloud Service, or only on-premises?
Both are affected. Versions prior to and including 2026.04 across all deployment models (on-premises, Managed Services, Cloud Service) are vulnerable. Cloud-hosted instances may patch faster if Adobe applies fixes server-side, but verify your specific deployment model and patch status with Adobe.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Exploit code is not provided. Organizations should verify all patch versions and compatibility against official Adobe security advisories and their own environment specifications before applying updates. SEC.co makes no warranty regarding the completeness or timeliness of this analysis. Consult Adobe directly for definitive remediation guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4