Adobe Experience Manager versions 6.5.23 and earlier allow malicious scripts to run in your browser

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

Adobe Experience Manager versions 6.5.23 and earlier allow malicious scripts to run in your browser

CVE-2026-27239

Summary

Adobe Experience Manager versions 6.5.23 and earlier have a security flaw that allows hackers to inject malicious code into certain web pages. This could happen if a user visits a website or receives an email with a malicious link. To protect yourself, update to the latest version of Adobe Experience Manager as soon as possible.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
adobe	experience_manager	<= 6.5.24	–
adobe	experience_manager	<= 2026.2.0	–
adobe	experience_manager	6.5	–
adobe	experience_manager	6.5	–
adobe	experience_manager	<= 6.5.24.0	–

Original title

Original description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

nvd CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026