CVE-2026-48300: Adobe Experience Manager Stored XSS in Form Fields
Adobe Experience Manager contains a stored cross-site scripting (XSS) vulnerability in form field handling that allows low-privileged users to inject malicious JavaScript. When a victim visits a page containing an affected form field, the attacker's script executes in their browser, potentially compromising their session or stealing sensitive data. The vulnerability affects multiple versions including 6.5.24, LTS SP1, and 2026.04 and earlier.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This stored XSS vulnerability (CWE-79) exists in Adobe Experience Manager's form field processing logic. An authenticated attacker with low privileges can inject malicious script payloads into vulnerable form fields; these payloads persist in the application's data store. When any user—including administrators or other victims—navigates to a page rendering the compromised form field, the malicious script executes in their browser context. The CVSS 3.1 vector (5.4 MEDIUM, AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects that the attack requires network access, low privilege level, user interaction, and results in scope change with confidentiality and integrity impact. The scope change indicates the vulnerability can affect security properties of components beyond the vulnerable component itself.
Business impact
Stored XSS in Experience Manager poses significant risk to organizations using AEM for content management and digital asset delivery. Attackers can deface content visible to customers, inject credential-stealing forms, or redirect users to malicious sites. If authors or administrators interact with compromised content, attackers gain foothold for lateral movement and privilege escalation. For customer-facing digital experiences, this damages brand trust and may trigger compliance violations (GDPR, PCI-DSS). The low barrier to entry (low-privilege attacker) and persistence of injected payloads make this a sustained threat until patched.
Affected systems
The vulnerability affects Adobe Experience Manager in versions 6.5.24, LTS SP1, 2026.04, and all earlier versions within those release tracks. Organizations running any of these versions with form-based content or user input fields are in scope. The impact extends to any end user or administrator viewing pages that contain the malicious payload, not just the account that injected it.
Exploitability
Exploitation is straightforward and requires only low privileges within Experience Manager. An attacker needs valid credentials (author-level access) and ability to edit or create form fields. User interaction is required—the victim must browse to a page containing the malicious form field—but this is highly likely in normal content consumption workflows. No complex interaction chains are needed; a single malicious form field can affect many users over time. The network-accessible nature of AEM makes this remotely exploitable without requiring local system access.
Remediation
Adobe has issued security updates to address this vulnerability. Organizations must upgrade to patched versions of Experience Manager as specified in the official Adobe Security Bulletin. Immediate actions include identifying all AEM instances in the environment and their current versions, prioritizing patching for externally facing or high-value content systems. Pending patch deployment, consider restricting form editing permissions to trusted administrators and monitoring form field modifications for suspicious content.
Patch guidance
Consult the official Adobe Experience Manager security advisory for version-specific patch availability. Organizations should verify the exact patched version numbers from Adobe's advisory, as different release tracks (6.5.x, LTS, 2026.x) may have different update schedules. After patching, sanitization of existing form field data is recommended to remove any previously injected payloads. Test patches in non-production environments before rollout to validate content integrity and application functionality.
Detection guidance
Monitor Experience Manager audit logs for form field creation or modification by low-privileged accounts, especially unusual patterns or rapid bulk changes. Search existing form field content for common XSS patterns such as <script>, javascript:, onerror=, onload=, and other event handlers. Web application firewalls (WAF) in front of AEM should be configured to detect and block XSS payloads in POST/PUT requests to form endpoints. Implement Content Security Policy (CSP) headers to mitigate execution of injected scripts even if payloads persist.
Why prioritize this
Although rated MEDIUM severity, this vulnerability warrants near-term patching due to low attack complexity, low barrier to entry, and high likelihood of exploitation in multi-user content management environments. Stored XSS affecting form fields is particularly dangerous because payloads affect multiple victims passively. Any organization where authors lack full trust or whose systems lack strong administrative access controls should treat this as elevated priority. The scope change aspect indicates wider impact beyond the immediate component.
Risk score, explained
The CVSS 3.1 score of 5.4 MEDIUM reflects the vulnerability's requirement for authenticated access, user interaction, and moderate impact (confidentiality and integrity, no availability loss). However, the actual organizational risk may be higher depending on the sensitivity of data handled by AEM, the number of end users consuming the content, and the level of administrative oversight of form creation. Organizations with customer-facing AEM deployments or handling personal/financial data should treat this above the MEDIUM baseline.
Frequently asked questions
What is the difference between stored and reflected XSS, and why does stored matter more here?
Reflected XSS requires an attacker to trick a user into clicking a malicious link; stored XSS persists in the application database and affects any user who visits the compromised page. This vulnerability is stored, meaning an attacker injects once and many victims are affected passively over time without clicking a link. This makes stored XSS significantly more dangerous and harder to contain.
Do I need admin credentials to exploit this, or just any user account?
The vulnerability requires low-privilege credentials, meaning attacker-controlled author-level or content-editor accounts are sufficient. Full administrative credentials are not necessary. Organizations should audit who has form-editing permissions and ensure accounts are properly managed and monitored.
Does updating Experience Manager automatically remove malicious payloads already in the database?
No. Patching fixes the vulnerability but does not automatically sanitize existing form field data. After patching, administrators should audit and manually remove or quarantine any suspected malicious payloads from the system to prevent their execution through other vectors or in environments that may not receive updates immediately.
How does Content Security Policy (CSP) help if the XSS payload is already stored in our system?
CSP acts as a safety net by restricting the execution context of scripts. Even if a malicious payload persists in the database and is rendered to a user's browser, a strict CSP can prevent inline script execution or scripts from unauthorized sources, blocking the attack at the browser level. CSP is not a substitute for patching but is a valuable defense-in-depth control.
This analysis is provided for informational purposes to help organizations assess risk and prioritize remediation efforts. The vulnerability details, affected versions, and CVSS score are based on the vendor advisory published by Adobe. Organizations should verify patch availability and version numbers directly from Adobe's official security bulletins before planning remediation. Exploitation requires valid credentials and is not passive; however, the impact of successful exploitation can affect many users. This is not a substitute for formal vulnerability management processes or vendor guidance. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34692MEDIUMAdobe Experience Manager DOM-Based XSS Vulnerability Analysis
- CVE-2026-47935MEDIUMAdobe Experience Manager DOM-based XSS Vulnerability (CVSS 5.4)
- CVE-2026-47936MEDIUMAdobe Experience Manager Stored XSS
- CVE-2026-47939MEDIUMAdobe Experience Manager Stored XSS Vulnerability – Patch Guidance
- CVE-2026-47941MEDIUMStored XSS in Adobe Experience Manager—CVSS 5.4 Medium
- CVE-2026-47942MEDIUMAdobe Experience Manager Stored XSS Vulnerability
- CVE-2026-47943MEDIUMAdobe Experience Manager Stored XSS Vulnerability (CVSS 5.4)
- CVE-2026-47944MEDIUMAdobe Experience Manager Stored XSS Vulnerability – CVSS 5.4