MEDIUM 5.4

CVE-2026-47980: Adobe Experience Manager Stored XSS Vulnerability

Adobe Experience Manager contains a stored cross-site scripting (XSS) vulnerability in form field handling that allows low-privileged users to inject malicious scripts. When a victim visits a page containing an affected form field, the injected JavaScript executes in their browser, potentially allowing the attacker to steal session tokens, modify page content, or perform actions on behalf of the victim. The vulnerability affects versions 6.5.24, LTS SP1, 2026.04 and earlier.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47980 is a stored XSS flaw (CWE-79) in Adobe Experience Manager's form field processing. An authenticated attacker with low privilege level can persist malicious JavaScript payloads in vulnerable form fields. Upon retrieval and rendering, the unvalidated input executes in the browser context of any user viewing the contaminated page. The CVSS 3.1 score of 5.4 reflects network accessibility, low attack complexity, low privilege requirement, and user interaction necessary to trigger execution. Notably, the scope is changed, indicating the vulnerability can affect resources beyond the vulnerable component itself.

Business impact

Stored XSS in a content management system like Experience Manager poses significant organizational risk. Attackers can deface pages, redirect users to phishing sites, harvest credentials, or inject malware references visible to customers and partners. Affected organizations may face reputational damage, regulatory notification obligations if user data is compromised, and operational disruption during remediation. The low privilege barrier means internal staff or contractors with minimal access can launch attacks, expanding the threat surface.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier are vulnerable. Organizations running these versions in production environments—particularly those exposed to less-trusted users or those accepting user-generated form submissions—require immediate assessment and patching.

Exploitability

Exploitation requires valid user credentials and interaction from a victim (form viewing), placing this in the moderate exploitability range. The low privilege requirement lowers the attacker bar; any authenticated user, not just administrators, can inject payloads. No CISA Known Exploited Vulnerabilities listing is currently associated with this CVE, though public awareness may accelerate exploit development. The straightforward nature of XSS persistence makes this a natural target once patches are announced.

Remediation

Organizations should prioritize upgrading to patched versions of Experience Manager released by Adobe. Verify the specific patch version number against Adobe's official security advisory. In parallel, implement input validation and output encoding on all form fields, enforce Content Security Policy (CSP) headers to restrict inline script execution, and review existing form data for injected payloads. Restrict form submission privileges to trusted users where feasible.

Patch guidance

Contact Adobe or consult their official security advisory for confirmed patch version numbers addressing CVE-2026-47980. Patching should be staged through a test environment first, given Experience Manager's role in production content delivery. Plan maintenance windows to minimize user disruption. Validate patching by confirming version numbers match advisory guidance and conducting functional testing of form submission workflows post-deployment.

Detection guidance

Monitor web server and application logs for unusual form submissions containing script tags or event handlers (e.g., 'onclick=', '<script>', 'onerror='). Review Experience Manager's audit logs for form field modifications by low-privileged users. Implement Web Application Firewall (WAF) rules to block common XSS payloads in form inputs. Conduct periodic manual inspection of published pages for unexpected JavaScript or iframe elements. Security scanning tools should be configured to test for reflected and stored XSS in form handling.

Why prioritize this

Although CVSS 5.4 is rated MEDIUM, this vulnerability merits faster remediation than the score alone suggests. Stored XSS in a widely-used content platform carries high visibility and reputational risk; once exploited, malicious content persists and reaches broad audiences. The low privilege requirement expands the attacker pool. Organizations should treat this as a priority patch to prevent data theft, malware injection, and customer-facing compromises.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) reflects: network accessibility (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), and user interaction dependency (UI:R). Confidentiality and integrity are partially impacted (C:L, I:L), with no availability impact (A:N). The 'scope changed' component indicates the vulnerability can breach security boundaries, affecting resources beyond the immediate form component—a factor raising concern relative to a standard stored XSS. Business context and asset sensitivity should inform local risk scoring.

Frequently asked questions

Does this vulnerability allow unauthenticated access to Experience Manager?

No. Exploitation requires valid user credentials. However, the low privilege requirement means any authenticated user—not just admins—can inject payloads, which is a significant concern for organizations with many internal users or contractor accounts.

Can we use Web Application Firewalls (WAF) to fully protect against this vulnerability?

WAF rules can help block common XSS patterns in form inputs, reducing but not eliminating risk. WAF is a detective and preventive control, not a substitute for patching. Combined with input validation on the application side and CSP headers, WAF strengthens defense-in-depth, but timely patching remains essential.

How do we know if our forms have been compromised by this vulnerability?

Search Experience Manager audit logs for modifications to form fields by low-privileged users around the vulnerability publication date. Review published pages containing forms for unexpected script tags, iframes, or event handlers. Engage your security team to scan pages with automated XSS testing tools. Consider a forensic review if you suspect prior exploitation.

What is the difference between stored and reflected XSS, and why does this matter?

Stored XSS persists the payload in the database, affecting all future visitors—making it more dangerous. Reflected XSS requires the victim to click a malicious link. This CVE is stored, meaning cleanup requires removing injected data and patching the code; the attack surface remains until both actions complete.

This analysis is provided for informational purposes and does not constitute legal or professional security advice. Organizations must independently verify all technical details, patch version numbers, and compatibility with their environments against official Adobe security advisories. Patch testing is mandatory before production deployment. The absence of public exploit code or CISA KEV listing does not imply unavailability of exploitation methods. Risk assessment should account for your specific business context, asset classification, and threat landscape. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).