Adobe Experience Manager versions 6.5.23 and earlier: Malicious scripts injected in form fields

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

Adobe Experience Manager versions 6.5.23 and earlier: Malicious scripts injected in form fields

CVE-2026-27224

Summary

Adobe Experience Manager versions 6.5.23 and earlier have a security flaw that lets hackers inject malicious code into forms. This code can be triggered when a user visits a page that contains the form. Update to a newer version to fix the issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
adobe	experience_manager	<= 6.5.24.0	–
adobe	experience_manager	<= 2026.2.0	–
adobe	experience_manager	6.5	–
adobe	experience_manager	6.5	–

Original title

Original description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

nvd CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026