{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27231", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-02-18T22:02:41.381Z", "datePublished": "2026-03-11T00:23:16.297Z", "dateUpdated": "2026-03-11T13:38:41.939Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Adobe Experience Manager", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "6.5.23", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-03-10T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "LOW", "modifiedScope": "CHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "CHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (Stored XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-03-11T00:23:16.297Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27231", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:30:36.244111Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:38:41.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27231", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:30:36.244111Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:30:37.246Z"}}], "cna": {"title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "modifiedScope": "CHANGED", "temporalScore": 5.4, "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "NONE", "environmentalScore": 5.4, "privilegesRequired": "LOW", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "LOW", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "LOW", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "LOW", "modifiedConfidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Adobe Experience Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.5.23"}], "defaultStatus": "affected"}], "datePublic": "2026-03-10T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site Scripting (Stored XSS) (CWE-79)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-03-11T00:23:16.297Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27231", "state": "PUBLISHED", "dateUpdated": "2026-03-11T13:38:41.939Z", "dateReserved": "2026-02-18T22:02:41.381Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-03-11T00:23:16.297Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "matchCriteriaId": "0FC0CE20-2AC2-45FB-A7CF-9ADEEBC8B411", "versionEndExcluding": "6.5.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*", "matchCriteriaId": "DEF26D3E-0DD3-4D1F-A198-C069F6E49045", "versionEndExcluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*", "matchCriteriaId": "852C2582-859F-40DB-96CF-E1274CEECC1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*", "matchCriteriaId": "00DDCBAD-1FEF-487F-97BB-481DC02F493A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."}, {"lang": "es", "value": "Las versiones 6.5.23 y anteriores de Adobe Experience Manager est\u00e1n afectadas por una vulnerabilidad de cross-site scripting (XSS) almacenado que podr\u00eda ser explotada por un atacante para inyectar scripts maliciosos en campos de formulario vulnerables. JavaScript malicioso podr\u00eda ejecutarse en el navegador de una v\u00edctima cuando naveguen a la p\u00e1gina que contiene el campo vulnerable."}], "id": "CVE-2026-27231", "lastModified": "2026-03-11T14:59:38.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-03-11T01:16:52.637", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.23]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Adobe Experience Manager", "source": "cna", "vendor": "Adobe"}, "product": "adobe_experience_manager", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-03-17T16:42:18.137719+00:00", "value": {"mitigation_remediation": ["Check Adobe\u2019s security bulletin for the latest patch (Experience Manager 6.5.24 or later) and apply it to all affected instances."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) \u2013 arbitrary script execution in victim\u2019s browser"}, "threat_synthesis": {"affected_systems": "The vulnerable products are Adobe Experience Manager on\u2011premises builds 6.5 (prior to 6.5.24) and the corresponding SP1 release. The cloud\u2011based Adobe Experience Manager Cloud Service is also affected as indicated by the CPE data. No specific patch level is listed, but the vulnerability affects any service running a 6.5 version equal to or older than 6.5.23.", "description_and_impact": "Adobe Experience Manager versions 6.5.23 and earlier contain a stored Cross\u2011Site Scripting (XSS) vulnerability that allows an attacker to inject malicious JavaScript into form fields. Key detail from vendor description: \"Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field.\" This flaw permits arbitrary script execution in the context of the victim\u2019s browser; it does not provide direct system compromise but can lead to session hijacking or data theft if the victim is authenticated.", "risk_and_exploitability": "The CVSS v3 score of 5.4 indicates moderate severity. EPSS score of less than 1% shows a very low probability of exploitation in the wild, and the vulnerability is not included in the CISA KEV catalog. Attackers need only supply malicious content via a form that is stored and rendered to users; the script executes when the affected page is viewed. The risk is therefore limited to users who can view the compromised content and is mitigated by applying a patch."}}}}, "created": "2026-03-11T11:38:47.808748+00:00", "updated": "2026-03-20T14:33:30.664972+00:00", "vendors": ["adobe", "adobe$PRODUCT$adobe_experience_manager"]}