CVE-2026-27244 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient sanitization of user-supplied input in form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server. When legitimate users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability requires the attacker to have some level of access to submit data (low privileges) and relies on user interaction (visiting the compromised page) to trigger the exploit. The CVSS v3.1 base score is 5.4, indicating a medium severity level, with attack vector as network, low attack complexity, requiring privileges, and user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. No public exploits have been reported yet, but the risk remains significant due to the widespread use of AEM in enterprise content management. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. Adobe has not yet published patches or mitigation details, so organizations must rely on interim controls to reduce risk.

The primary impact of this vulnerability is on confidentiality and integrity. Attackers can steal sensitive information such as session cookies, authentication tokens, or personal data by executing malicious scripts in users' browsers. This can lead to account takeover, unauthorized actions, or further exploitation within the affected organization’s environment. Although availability is not directly impacted, the trustworthiness of the web application is compromised, potentially damaging organizational reputation. Since AEM is widely used by enterprises for managing digital content and customer interactions, exploitation could affect a broad range of industries including government, finance, healthcare, and retail. The requirement for low privileges and user interaction lowers the barrier for exploitation but limits the attacker's capabilities to some extent. Organizations with high-value targets or sensitive data hosted on AEM platforms face increased risk of targeted attacks leveraging this vulnerability.

Organizations should immediately review and restrict permissions to form fields and user input areas within Adobe Experience Manager to minimize exposure. Implement strict input validation and sanitization on all user-supplied data to prevent injection of malicious scripts. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web server and application logs for unusual input patterns or repeated attempts to inject scripts. Use web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. Until official patches are released by Adobe, consider isolating or disabling vulnerable components or forms that accept user input. Educate users about the risks of clicking on suspicious links or interacting with untrusted content. Regularly update and audit AEM configurations and access controls to reduce the attack surface. Engage with Adobe support channels for timely updates and apply patches as soon as they become available.