MEDIUM 5.4

CVE-2026-48301: Adobe Experience Manager Stored XSS – MEDIUM Risk Vulnerability

Adobe Experience Manager contains a stored cross-site scripting (XSS) flaw that allows a low-privileged user to plant malicious code in form fields. When other users visit pages containing these compromised fields, the injected scripts execute in their browsers, potentially stealing session data, credentials, or performing actions on their behalf. The vulnerability affects multiple versions through 2026.04 and requires user interaction—a victim must view the poisoned form—but the attacker needs only basic authentication access to inject the payload.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This stored XSS vulnerability (CWE-79) exists in Adobe Experience Manager's form handling logic across versions 6.5.24, LTS SP1, 2026.04 and earlier. An authenticated attacker with low privilege can inject unsanitized JavaScript into form field values; the payload persists server-side and executes in the DOM context of any user's browser when that user accesses the affected page. The CVSS 3.1 vector (5.4 MEDIUM, AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network access, low attack complexity, low privilege requirement, required user interaction, and changed scope—meaning the vulnerability can impact confidentiality and integrity of resources beyond the vulnerable component itself.

Business impact

Stored XSS in a widely-deployed content management platform like Experience Manager can compromise user accounts, enable credential theft, deface content, inject malware payloads into downstream pages, and damage organizational reputation. If your organization publishes forms to customers or partners, attackers can target those audiences at scale. Internal teams are equally at risk if form-heavy workflows exist. Remediation delays increase exposure window and likelihood of active exploitation.

Affected systems

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are in scope. Organizations using these versions—particularly those with multi-user authoring environments or public-facing forms—should audit their deployment to confirm installed version and patch status. Verify your exact version in the AEM console or deployment logs before assuming you are or are not affected.

Exploitability

Exploitation requires valid user credentials (low privilege is sufficient) and a victim must visit the page containing the malicious form field. There is no evidence of active KEV exploitation at this time. However, the low attack complexity and straightforward injection pattern mean exploitation is relatively accessible to attackers with basic web security knowledge. Insider threat risk is moderate; a disgruntled low-level user could plant payloads affecting entire organizations.

Remediation

Apply the Adobe security patch for Experience Manager covering this CVE. Consult Adobe's official advisory to identify the correct patch version for your installed release line (6.5.x, LTS, or 2026.x). Test patches in a non-production environment first. Until patched, enforce strict content security policies (CSP), input validation, and output encoding at the application layer; however, these are detective/mitigating controls, not substitutes for patching.

Patch guidance

Contact Adobe directly or visit their security advisory portal to obtain the patched version corresponding to your Experience Manager release line. Verify the patch release date and version number from Adobe's official sources before deployment. Test thoroughly in a staging environment to ensure compatibility with custom extensions or configurations. Schedule patching during a maintenance window to minimize business disruption. Document patch application for compliance audits.

Detection guidance

Monitor Experience Manager form field submissions and updates for suspicious script tags, event handlers (onclick, onload, onerror), and encoded variants thereof. Enable AEM's audit logging and review it for form modifications by low-privilege accounts. Search existing form fields for payloads containing script, iframe, or event attribute keywords. Use WAF or network-based XSS detection rules if deployed upstream. Check browser console logs and network traffic for unexpected script execution originating from form pages.

Why prioritize this

Although CVSS is MEDIUM, the vulnerability merits prompt attention due to persistence (stored XSS is more dangerous than reflected), cross-scope impact, and the pervasiveness of Experience Manager in publishing workflows. Organizations with public-facing or high-traffic forms should prioritize patching within 30 days. Those with minimal form usage or strong CSP policies may extend timelines slightly but should not defer indefinitely.

Risk score, explained

CVSS 5.4 reflects the moderate severity: exploitation requires authentication and user interaction, and impact is limited to confidentiality and integrity with no availability risk. However, stored XSS in a CMS is inherently higher-risk than the score alone suggests because it can be weaponized post-compromise to target many victims. The 'S:C' (scope changed) component elevates concern. Use CVSS as a baseline, not a ceiling, and combine it with your organization's form exposure and user base sensitivity.

Frequently asked questions

Do we have to patch immediately if we use Experience Manager forms?

No, but prioritize within 30 days, especially if your forms are customer-facing or contain sensitive fields. If you have strong Content Security Policy headers in place and minimal public form traffic, you may extend slightly—but verify your protections are actually enforced. Do not delay indefinitely.

Can an attacker escalate this vulnerability to compromise the entire AEM instance?

Stored XSS alone does not grant server-side code execution or elevated privileges. However, once an attacker plants a payload, they can harvest credentials or session tokens from victims who view the form, potentially enabling lateral movement. This is why even a MEDIUM-scored XSS warrants swift action in a multi-user environment.

Will a WAF or CSP header fully protect us while we prepare a patch?

No, not fully. A strict CSP (e.g., script-src 'self') can prevent inline script execution, but CSP must be properly configured and may break legitimate functionality. Input filtering on the AEM side is also helpful but unreliable if the underlying code is flawed. These are temporary mitigations; patching is the proper fix.

How do we know if attackers have already exploited this in our instance?

Review AEM audit logs for form field changes by low-privilege users, especially updates containing HTML, script tags, or unusual characters. Check for unexpected JavaScript in published forms via your staging or QA environment. If you suspect active exploitation, consider engaging a forensics firm to analyze historical logs and form contents.

This analysis is based on publicly available CVE data and Adobe security disclosures as of 2026-06-17. Verify all patch versions, timelines, and affected components against Adobe's official advisories before taking action. SEC.co does not host exploit code and does not support weaponized attacks. Organizations should conduct their own risk assessment relative to their environment, user base, and form exposure. No guarantee of completeness or absolute accuracy is provided; consult qualified security professionals for critical deployment decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).