MEDIUM 5.4

CVE-2026-47990: Stored XSS in Adobe Experience Manager 6.5, LTS SP1, 2026.04

Adobe Experience Manager has a stored cross-site scripting (XSS) vulnerability that allows attackers with basic system access to plant malicious code in form fields. When legitimate users view affected pages, the injected scripts execute in their browsers, potentially compromising sessions, stealing data, or triggering unwanted actions. The vulnerability affects AEM versions 6.5.24, LTS SP1, and 2026.04 and earlier.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47990 is a stored XSS flaw (CWE-79) in Adobe Experience Manager that permits authenticated users with low privilege to inject arbitrary JavaScript into vulnerable form fields. The injected payload persists in the application's database and executes client-side whenever any user navigates to or views a page containing the compromised field. The scope change indicated in the vulnerability description suggests the attack can impact security domains or user contexts beyond the attacker's direct privilege level, amplifying lateral risk within AEM deployments.

Business impact

Organizations running affected AEM instances face session hijacking, credential theft, malware distribution, and reputational damage if attackers use the vulnerability to compromise trusted internal or customer-facing portals. Given that the attack requires only low-privilege access—such as a content editor or form contributor role—the risk is elevated for enterprises with distributed authoring teams. Stored XSS is difficult to detect and remediate after infection, potentially affecting many users before discovery.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier are vulnerable. Organizations should inventory all AEM deployments by version and patch level. Patch version numbers for remediation must be verified against the official Adobe security advisory.

Exploitability

Exploitation requires valid AEM credentials and low privilege (e.g., form editor or contributor role). The attack vector is network-based with low attack complexity, and successful execution depends on a user viewing the compromised page (user interaction required). The CVSS 3.1 score of 5.4 reflects medium severity. Automated scanning tools cannot reliably detect injected payloads without direct inspection of form field data and rendered output; manual code review and content audits are necessary.

Remediation

Apply Adobe's security patch to upgrade AEM beyond the affected versions (6.5.24, LTS SP1, 2026.04). Additionally, conduct a forensic audit of form fields across all AEM instances to identify and remove any malicious payloads. Implement input validation, output encoding, and content security policies (CSP) to prevent future XSS injection. Restrict form editing privileges to trusted users and enable audit logging for all field modifications.

Patch guidance

Contact Adobe support or consult the official Adobe Experience Manager security advisory for the specific patch versions and deployment steps. Patches should be tested in a staging environment before production rollout. Verify patch applicability for your exact AEM version and configuration. Monitor Adobe's security bulletins for cumulative updates that may address this and related vulnerabilities.

Detection guidance

Monitor AEM access logs and form submission records for unusual changes by low-privilege users. Use web application firewalls (WAF) to detect and block inline script patterns in form submissions. Deploy browser-based content security policy headers to mitigate XSS execution. Review form field audit trails for unexpected modifications, especially outside normal business hours. Penetration testers should include stored XSS validation in AEM assessment scope, focusing on custom and standard form components.

Why prioritize this

Although the CVSS score is medium (5.4), stored XSS in a content management platform merits expedited remediation because the flaw affects trusted content infrastructure and can compromise many users passively. The low barrier to entry (basic user access) and scope change (cross-context impact) increase practical risk. Organizations with public-facing or multi-tenant AEM deployments should prioritize this higher than the numeric score alone suggests.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) is driven by network-based attack vector, low complexity, and requirement for low privilege and user interaction. Confidentiality and integrity are degraded (L/L) but availability is unaffected (N). The scope change (S:C) acknowledges that the vulnerability can impact contexts beyond the attacker's privilege level, preventing a lower score. For many organizations, the practical risk is elevated due to the persistent nature of stored XSS and the trust users place in content served by AEM.

Frequently asked questions

Can this vulnerability be exploited by unauthenticated attackers?

No. Exploitation requires valid AEM credentials and at least low-level privilege (such as content editor or form contributor role). Unauthenticated users cannot directly inject payloads, but they may be victims if an insider exploits the flaw.

How do I know if my AEM instance has been compromised by this vulnerability?

Search your AEM form fields, pages, and asset metadata for unexpected script tags or suspicious JavaScript. Enable and review detailed audit logs for modifications by low-privilege accounts. If you suspect compromise, engage forensics support and consider isolating the instance for investigation.

Is there a workaround if I cannot patch immediately?

Implement a Web Application Firewall (WAF) rule to block inline script submissions and restrict form-editing roles to trusted users only. Enable Content Security Policy (CSP) headers to prevent inline script execution. However, these are temporary measures; patching should proceed as soon as feasible.

Does this vulnerability affect AEM as a Cloud Service?

The advisory specifies AEM 6.5.24, LTS SP1, and 2026.04 and earlier; Cloud Service offerings may have different versioning. Consult the official Adobe advisory and your AEM Cloud Service provider to confirm your deployment status and required actions.

This analysis is for informational purposes and does not constitute professional security advice. Patch versions, advisory URLs, and remediation timelines must be verified against official Adobe security bulletins before implementation. Organizations should conduct independent risk assessment and testing in controlled environments. SEC.co makes no warranty regarding the completeness or accuracy of version lists or technical details; always consult the vendor advisory as the authoritative source. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).