CVE-2026-27250 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is persistently stored on the server. When legitimate users access the affected pages containing the injected scripts, the malicious code executes in their browsers under the context of the vulnerable web application. This can lead to theft of session cookies, user credentials, or execution of unauthorized actions on behalf of the victim. The vulnerability requires user interaction (visiting the compromised page) and low attacker privileges but does not require authentication to exploit. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, scope change, and limited confidentiality and integrity impacts without availability impact. No patches or exploits are currently publicly available, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability falls under CWE-79, a common web application security weakness related to improper neutralization of input leading to XSS.

The primary impact of this vulnerability is on confidentiality and integrity within affected Adobe Experience Manager deployments. Attackers can steal sensitive information such as session tokens or user credentials by executing malicious scripts in victim browsers. This can lead to account compromise, unauthorized actions, or lateral movement within the affected web application environment. Although availability is not impacted, the breach of confidentiality and integrity can result in significant reputational damage, regulatory penalties, and potential data breaches for organizations relying on AEM for content management. Since AEM is widely used by enterprises for managing digital assets and websites, the vulnerability poses a risk to organizations globally, especially those with public-facing portals or intranets accessible to multiple users. The requirement for user interaction and low privileges somewhat limits exploitation but does not eliminate risk, particularly in environments with many users or where attackers can lure victims to vulnerable pages.

Organizations should monitor Adobe’s official channels for patches addressing CVE-2026-27250 and apply updates to Adobe Experience Manager 6.5.23 or earlier versions as soon as they become available. In the interim, implement strict input validation and sanitization on all form fields to prevent injection of malicious scripts. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Review and harden user privilege assignments to minimize the ability of low-privileged users to inject content. Conduct regular security assessments and penetration testing focused on XSS vulnerabilities in web applications. Educate users about the risks of clicking unknown links or visiting untrusted pages within the organization’s web environment. Consider using web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. Finally, monitor logs and user activity for signs of exploitation attempts or anomalous behavior related to injected scripts.