MEDIUM 5.4

CVE-2026-47977: Adobe Experience Manager Stored XSS Vulnerability—Patch Guidance & Detection

Adobe Experience Manager contains a stored cross-site scripting (XSS) flaw in certain form fields. An attacker with low-level system access can embed malicious JavaScript into these fields, and that script executes automatically when other users view the affected page. The vulnerability requires user interaction (victims must visit the page), but the stored nature means the attack persists and affects anyone who accesses the compromised content.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47977 is a stored XSS vulnerability (CWE-79) affecting Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04, and earlier. The flaw exists in form field handling and allows authenticated attackers with low privileges to inject malicious scripts. When a victim accesses a page containing the injected payload, the JavaScript executes in their browser context with the victim's privileges. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network-accessible attack surface, low complexity, requirement for login credentials, user interaction dependency, and cross-site scope change—indicating the payload can affect resources and sessions beyond the immediate form.

Business impact

Stored XSS in Experience Manager poses data exfiltration and session hijacking risks. Attackers can steal authenticated user session cookies, capture sensitive form submissions, or redirect users to credential-harvesting sites. For organizations using AEM for customer-facing portals or internal workflows, this threatens customer trust, regulatory compliance (especially in financial or healthcare contexts), and operational integrity. The 'scope changed' element in CVSS indicates potential to compromise connected systems or user trust boundaries.

Affected systems

The vulnerability affects Adobe Experience Manager versions 6.5.24 (and presumably earlier 6.5.x releases), LTS SP1, and 2026.04 (and presumably earlier versions in the 2026.x line). Organizations must identify all AEM instances in their environment, confirm version against the affected ranges, and prioritize systems hosting customer-facing or data-sensitive content.

Exploitability

Exploitation requires valid AEM credentials and low privilege level—meaning any authenticated user, including those with minimal administrative rights, can inject malicious code. The barrier to weaponization is low for insiders or attackers with valid accounts. External exploitation paths depend on AEM authentication architecture and whether account creation or password reset mechanisms are accessible. User interaction (visiting a page with the payload) is required for the attack to succeed, making social engineering or internal distribution tactics relevant. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update.

Remediation

Apply Adobe's patched versions for your AEM deployment. For AEM 6.5.x environments, upgrade to the fixed 6.5.25 or later (verify against Adobe's official advisory for exact patch version). For LTS SP1 and 2026.04 lineages, follow Adobe's guidance to the appropriate patched release. Interim mitigations include implementing Web Application Firewall (WAF) rules to detect XSS payloads in form submissions, enforcing strict Content Security Policy (CSP) headers, and reviewing form field access controls to limit who can author or modify form content.

Patch guidance

Check Adobe's official security advisories for the exact patched version corresponding to your AEM release line. Patches are typically cumulative service packs or hotfixes. Before patching production systems, test in a staging environment to verify compatibility with custom code and extensions. Schedule patching promptly given the low barrier to exploitation; consider prioritizing systems accessible to external users or handling sensitive data.

Detection guidance

Hunt for suspicious JavaScript in AEM form field configurations using automated scanning or manual code review. Monitor AEM audit logs for form field creation or modification by low-privileged users, particularly outside normal change windows. Inspect browser developer consoles for unexpected script execution when accessing AEM forms. Deploy SIEM detection for anomalous session behavior post-form submission (unusual API calls, data exfiltration patterns). Content Security Policy violation logs can signal XSS attempts if CSP is enforced.

Why prioritize this

Although rated MEDIUM severity (5.4 CVSS), this vulnerability warrants prompt patching because stored XSS persistence affects all future visitors, low-privileged users can exploit it, and scope change indicates risk to downstream systems. Organizations relying on AEM for customer engagement should treat this as high-priority. Risk tier rises if AEM hosts payment forms, personal data collection, or internal employee workflows.

Risk score, explained

CVSS 5.4 MEDIUM reflects a network-accessible, low-complexity attack requiring login and user interaction, with limited direct confidentiality and integrity impact. However, the stored nature, low privilege bar, and scope-change element mean blast radius and persistence are higher than many MEDIUM-rated flaws. Context matters: customer-facing AEM deployments face greater risk than isolated internal instances.

Frequently asked questions

Can an unauthenticated attacker exploit this?

No. CVE-2026-47977 requires valid AEM login credentials, even at low privilege levels. This limits the attack surface to users with accounts—employees, contractors, or partners with access—but does not require administrator status.

What is 'scope changed' and why does it matter?

In CVSS terminology, scope change means the vulnerability can affect resources or trust boundaries beyond the vulnerable component itself. In this case, injected scripts can access and manipulate other parts of AEM, session data, and potentially user interactions across connected systems, amplifying the security impact.

Is there a public exploit for CVE-2026-47977?

As of the publication date, CVE-2026-47977 is not listed on CISA's Known Exploited Vulnerabilities catalog, and no reliable public exploit code has been widely weaponized. However, the low barrier to exploitation means attack code could emerge quickly after patch release details are public.

If we enforce strong CSP headers, are we protected?

A well-configured Content Security Policy can mitigate stored XSS damage by blocking inline script execution and restricting external script sources. However, CSP is a defense-in-depth layer, not a replacement for patching. Some configurations may be too permissive to block all variants, and attackers may find CSP bypass techniques. Patching is essential.

This analysis is for informational purposes and reflects publicly available information as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of vendor advisories or patch availability. Organizations should independently verify patch versions and compatibility against Adobe's official security bulletins before deployment. CVSS scores and severity ratings are provided by NVD/vendors and may evolve. Consult your security team and vendor documentation before making production decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).