CVE-2026-27235 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is stored persistently on the server. When other users access the affected pages containing the injected script, the malicious code executes within their browsers under the context of the vulnerable site. This can lead to theft of sensitive information such as session cookies, user credentials, or the ability to perform actions on behalf of the victim user. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4, with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is necessary. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No public exploits have been reported yet, but the presence of stored XSS in a widely used enterprise content management system like AEM poses a significant risk if weaponized. Adobe has not yet released a patch, so organizations must monitor for updates and apply them promptly once available.

The impact of this vulnerability includes potential compromise of user confidentiality and integrity. Attackers can steal session tokens, enabling account takeover or unauthorized actions within the affected application. The stored nature of the XSS means that the malicious payload persists and can affect multiple users over time, increasing the attack surface. While availability is not directly impacted, the exploitation could lead to reputational damage, loss of customer trust, and potential regulatory penalties if sensitive data is exposed. Organizations relying on AEM for critical web content delivery or customer-facing portals are at risk of targeted attacks, especially if attackers leverage social engineering to induce user interaction. The requirement for low privileges lowers the barrier for exploitation, making it accessible to a wider range of attackers. Given AEM’s use in government, finance, healthcare, and large enterprises, the threat could have broad implications for data security and operational integrity.

Organizations should implement multiple layers of defense to mitigate this vulnerability. First, monitor Adobe’s official channels for patches and apply updates to AEM versions 6.5.23 and earlier as soon as they become available. Until a patch is released, apply strict input validation and sanitization on all user-supplied data, especially in form fields, to prevent injection of malicious scripts. Employ output encoding techniques to neutralize any potentially harmful content before rendering it in browsers. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Conduct regular security assessments and penetration testing focused on web application vulnerabilities. Educate users about the risks of interacting with suspicious content and implement multi-factor authentication to reduce the impact of session hijacking. Additionally, review and limit user privileges to minimize the ability of low-privileged users to inject malicious content. Logging and monitoring for unusual activity related to form submissions can help detect exploitation attempts early.