Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
AnalysisAI
Stored Cross-Site Scripting in Adobe Experience Manager Forms JEE (versions LTS SP1 and 6.5.24.0 and earlier) permits a high-privileged attacker to inject persistent JavaScript into vulnerable form fields, which then executes in any victim's browser that renders the affected page. The CVSS Scope Change (S:C) signal confirms the injected script's impact crosses security boundaries beyond the AEM Forms application itself, enabling session hijacking or cross-origin actions against browsing victims. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, with the CVSS score of 5.9 (Medium) reflecting the high-privilege prerequisite that limits the attacker pool.
Technical ContextAI
The vulnerability is a classic Stored XSS (CWE-79: Improper Neutralization of Input During Web Page Generation), where user-controlled input written to the server is later rendered back to browsers without sufficient output encoding or sanitization. The affected component, identified by CPE cpe:2.3:a:adobe:adobe_experience_manager_forms_jee:*:*:*:*:*:*:*:*, is the Java EE (JEE) deployment variant of Adobe Experience Manager Forms - a heavyweight content management and digital forms platform commonly deployed in enterprise on-premises environments. JEE deployments are distinct from AEM Forms OSGi and typically run on application servers such as JBoss, WebLogic, or WebSphere. The CVSS Scope Changed (S:C) attribute is technically significant: it indicates the injected script executes outside the vulnerable component's own security domain, meaning a successful payload running in a victim's browser can reach resources and cookies belonging to the broader web application origin, not just the forms subsystem.
RemediationAI
Apply the fix detailed in Adobe Security Bulletin APSB26-57 at https://helpx.adobe.com/security/products/aem-forms/apsb26-57.html. The exact patched release version is not independently confirmed from the available intelligence beyond the APSB26-57 advisory reference - consult the bulletin directly for the specific update package or service pack targeting versions beyond 6.5.24.0 and LTS SP1. As a compensating control prior to patching, restrict network access to AEM Forms JEE administrative and form-authoring interfaces to trusted IP ranges using a WAF or network ACL - this limits the attack surface to the high-privileged accounts that can inject the payload, preventing any external actor from obtaining that access. Deploying a Content Security Policy (CSP) header that restricts script sources to known safe origins will reduce the impact of any stored XSS execution by preventing exfiltration to attacker-controlled domains. Auditing stored form field content for script tags or JavaScript URI patterns can assist in detecting prior compromise. Note that CSP and IP restriction are mitigations, not fixes - patching via APSB26-57 remains the definitive remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35764
GHSA-rj84-7c55-q3v8