CVE-2026-47975: Stored XSS in Adobe Experience Manager – Patch Guidance & Detection
Adobe Experience Manager (AEM) contains a stored cross-site scripting (XSS) vulnerability that allows attackers with basic user privileges to inject malicious scripts into form fields. When legitimate users visit pages containing these compromised fields, the attacker's JavaScript executes in their browsers. This is distinct from reflected XSS because the malicious payload persists in the application's database, affecting all subsequent visitors. The vulnerability requires user interaction—a victim must view the poisoned page—but the attacker needs only low-level access to inject the payload initially.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47975 is a stored XSS flaw (CWE-79) in Adobe Experience Manager affecting versions 6.5.24, LTS SP1, 2026.04 and earlier. The vulnerability stems from insufficient input validation or output encoding in form field handling. An authenticated attacker with low privileges can craft and store malicious JavaScript in vulnerable form fields. When another user accesses the page rendering that field, the script executes with the privileges and context of the viewing user's session. The CVSS 3.1 vector (5.4 MEDIUM: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network accessibility, low attack complexity, requirement for low privileges, user interaction dependency, and scope change—reflecting that the XSS may affect resources beyond the vulnerable component itself.
Business impact
Stored XSS in AEM poses significant operational and reputational risk. Attackers can harvest session tokens, redirect users to phishing sites, deface content, or perform actions on behalf of legitimate users. In an AEM environment managing critical digital assets and customer-facing content, injected malicious scripts could compromise content integrity, expose sensitive data within user sessions, or damage brand reputation if malicious content is served to customers or partners. The scope-change aspect means the vulnerability can break out of the AEM sandbox and affect downstream trust in any system consuming AEM-rendered pages.
Affected systems
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are vulnerable. Organizations running any of these versions on form-enabled pages should treat this as a priority. Verify your exact AEM version and confirm whether your deployment uses dynamic form fields that could be vectors for this attack. Environments where non-administrative users can create or edit forms carry heightened risk.
Exploitability
Exploitation requires a valid, low-privileged AEM user account—typically easier to obtain than administrative credentials. The attack is straightforward: inject JavaScript into a form field and wait for victims to visit that page. No advanced techniques, special network conditions, or privilege escalation are necessary. However, the attacker cannot force a victim to visit the compromised page; some social engineering or reliance on the page being naturally discovered may be needed. The low barrier to entry and deterministic impact make this a practical threat in any AEM instance with multiple users.
Remediation
Apply the security patch from Adobe as soon as it becomes available for your specific AEM version. Verify patch availability for 6.5.24, LTS SP1, and 2026.04 against the official Adobe Security Advisories. Until patched, implement input validation and output encoding controls at the application level if possible. Restrict form creation and editing permissions to trusted administrative users only. Consider temporarily disabling dynamic form features if they are not critical to operations. Review recent form submissions and pages for signs of injected scripts.
Patch guidance
Check Adobe's official security bulletin for CVE-2026-47975 to identify the exact patch version for your AEM release line (6.5.x, LTS, or 2026.x). Apply patches in a controlled manner: test in a non-production environment first, validate form functionality post-patch, and schedule deployment during a maintenance window to avoid service disruption. Given the stored nature of this vulnerability, verify that any cached or CDN-served pages are refreshed after patching. Adobe typically provides detailed installation instructions specific to each version.
Detection guidance
Monitor AEM logs for unusual form field submissions, particularly those containing script tags, event handlers (onclick, onload, onerror), or Base64-encoded payloads. Search form storage and content repositories for patterns such as '<script>', 'javascript:', or common XSS vectors. Implement Web Application Firewall (WAF) rules to detect outbound JavaScript execution from AEM-rendered pages. Conduct a security scan of all form definitions and stored values using a static code analysis tool configured for XSS patterns. Track user sessions accessing pages with recently modified form fields to identify whether malicious scripts were triggered.
Why prioritize this
Although rated MEDIUM severity, this vulnerability merits prompt attention due to its stored nature—once injected, it silently compromises all subsequent visitors without requiring re-exploitation. The low privilege barrier and automatic execution upon page visit make it an attractive target for persistent attacks. In multi-user AEM environments, the cumulative exposure across all form pages justifies prioritization above the CVSS score alone. Organizations managing customer data or public-facing content should patch before attackers have time to scout and exploit unpatched instances.
Risk score, explained
The CVSS 5.4 MEDIUM score reflects the balance between ease of exploitation (low privilege requirement, network-accessible, no attack complexity) and limited direct impact (confidentiality and integrity partial, no availability loss). The score is tempered by the requirement for user interaction and the fact that availability is not compromised. However, the scope-change element and stored persistence elevate real-world risk beyond the numerical score; defenders should treat this as higher priority than a typical MEDIUM-severity flaw.
Frequently asked questions
Can an attacker execute code on the AEM server itself?
No. This is a client-side XSS vulnerability. The malicious script runs in victims' browsers, not on the AEM server. The attacker gains access to the victim's session, browser data, and cookies—not to the underlying AEM infrastructure or file system.
Do we need admin privileges to inject malicious form fields?
No. The vulnerability requires only a low-privileged user account—typically a content editor, form creator, or similar non-administrative role. This significantly lowers the barrier to exploitation compared to vulnerabilities requiring admin access.
Will patching immediately remove existing malicious scripts from our forms?
Patching stops new injections but does not automatically clean up previously stored malicious payloads. After applying the patch, audit your form repositories, delete any suspicious entries, and purge cached pages to ensure old XSS payloads are not served to users.
How is this different from a reflected XSS vulnerability?
Stored XSS persists in the database and affects all users who view the page, whereas reflected XSS requires a crafted URL sent to a specific victim. Stored XSS is generally more dangerous because it can compromise many users at scale without requiring active social engineering per victim.
This analysis is based on the published CVE record and CVSS assessment as of June 2026. Specific patch version numbers, availability dates, and detailed remediation steps should be verified against the official Adobe Security Advisories before implementation. SEC.co does not provide exploit code or weaponization guidance. Organizations should conduct their own risk assessment in the context of their specific AEM deployments and business requirements. This intelligence is for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4