Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
AnalysisAI
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript inside vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. The CVSS scope-change flag (S:C) reflects that the injected code breaks out of AEM's server-side security boundary and runs in the victim's browser context, enabling session hijacking or credential theft against higher-privileged users such as administrators. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and broad AEM enterprise deployment surface make this a credible lateral-escalation vector inside organizations.
Technical ContextAI
Adobe Experience Manager is a widely deployed enterprise content management and digital experience platform. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS), meaning user-controlled input submitted to a form field is persisted in the AEM content repository without adequate output encoding, and is later rendered verbatim in HTML pages served to other users. The CVSS scope-change designation (S:C) is canonical for stored XSS: the vulnerable component is the AEM server, but the security impact - arbitrary JavaScript execution - occurs in a different security principal's browser context. The CVSS vector AV:N/AC:L/PR:L/UI:R encodes that the attack is network-reachable, requires no special configuration to trigger, needs only a low-privilege AEM account to plant the payload, but does require a second-party victim to browse to the poisoned page. The affected CPE range per EUVD-2026-35720 spans all AEM releases up to and including 2026.04, covering both the legacy 6.5.x LTS line and the AEM as a Cloud Service release train.
RemediationAI
Apply the fix detailed in Adobe Security Bulletin APSB26-56 at https://helpx.adobe.com/security/products/experience-manager/apsb26-56.html. The exact patched release version is not independently confirmed from the available input data - consult APSB26-56 directly for the specific build or cumulative fix pack to install. As a compensating control while patching is scheduled, restrict write access to AEM form authoring components to the minimum set of trusted users, removing low-privileged or external-contributor roles from any content-authoring permissions where possible; this directly removes the attacker's ability to plant the payload (PR:L requirement). Deploying a strict Content Security Policy (CSP) header that disallows inline script execution on AEM-served pages will reduce the impact of any injected payload, though this may break legitimate AEM in-page JavaScript and should be tested in a staging environment first. Input validation or WAF rules that strip or encode script tags in form submission payloads provide an additional layer but are not a substitute for the vendor patch.
Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr
Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a
Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J
Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote
Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar
Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Ma
Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Window
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and pos
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35720
GHSA-63pf-j459-66x7