CVE-2026-27240 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient input sanitization in certain form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is persistently stored on the server. When other users access the affected pages containing the injected scripts, the malicious code executes in their browsers within the security context of the vulnerable web application. This can lead to unauthorized actions such as session hijacking, credential theft, or unauthorized modifications of displayed content. The vulnerability has a CVSS v3.1 base score of 5.4, indicating medium severity, with an attack vector of network (remote exploitation), low attack complexity, requiring low privileges, and user interaction to trigger the exploit. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. No public exploits have been reported yet, but the nature of stored XSS makes it a significant risk in environments where AEM is used to manage web content accessible by multiple users. The vulnerability is tracked under CWE-79, a common and well-understood class of web application security issues. Adobe has not yet published patches or mitigation instructions at the time of this report, so organizations must rely on interim controls.

The impact of this vulnerability is primarily on confidentiality and integrity. An attacker exploiting this stored XSS flaw can execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session cookies, performing actions on behalf of users, or defacing web content. This can lead to unauthorized access to sensitive information, user impersonation, and reputational damage. Although availability is not directly affected, the indirect consequences of compromised user sessions or defaced content can disrupt business operations. Organizations using AEM for critical web content delivery, especially those with many users or sensitive data, face increased risk. The requirement for user interaction (visiting a maliciously crafted page) limits exploitation somewhat, but the persistent nature of stored XSS increases the attack surface. The medium CVSS score reflects these factors, but the real-world impact could escalate if combined with social engineering or other attack vectors.

Organizations should immediately review their Adobe Experience Manager deployments and identify versions 6.5.23 and earlier. Since no official patches are currently available, interim mitigations include: 1) Implement strict input validation and output encoding on all user-supplied data, especially in form fields susceptible to injection. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. 3) Use web application firewalls (WAFs) with rules targeting XSS payloads to detect and block malicious requests. 4) Educate users to recognize suspicious links or content that could trigger XSS attacks. 5) Limit privileges of users who can submit content to reduce the risk of malicious input. 6) Monitor logs and user activity for signs of exploitation attempts. Once Adobe releases official patches, prioritize timely deployment to fully remediate the vulnerability. Additionally, conduct security testing and code reviews to identify and fix similar injection points.