Adobe Experience Manager versions 6.5.23 and earlier: Malicious scripts injected in browser

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

Adobe Experience Manager versions 6.5.23 and earlier: Malicious scripts injected in browser

CVE-2026-27231

Summary

Adobe Experience Manager versions 6.5.23 and earlier allow attackers to inject malicious code into form fields on your website. This could happen if an attacker tricks a user into filling out a malicious form. To protect your site, update to a fixed version of Adobe Experience Manager.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
adobe	experience_manager	<= 6.5.24.0	–
adobe	experience_manager	<= 2026.2.0	–
adobe	experience_manager	6.5	–
adobe	experience_manager	6.5	–

Original title

Original description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

nvd CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026