CVE-2026-47945 Overview
CVE-2026-47945 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04, and earlier releases. A low-privileged authenticated attacker can inject malicious JavaScript into vulnerable form fields. The payload executes in a victim's browser when they navigate to a page rendering the affected field. The vulnerability carries a changed scope, meaning the impact extends beyond the vulnerable component itself. The flaw is tracked under CWE-79 and documented in Adobe Security Advisory APSB26-56.
Critical Impact
Authenticated attackers can persist malicious JavaScript into AEM-rendered pages, hijacking sessions and acting on behalf of authenticated users within the changed scope.
Affected Products
- Adobe Experience Manager 6.5.24 and earlier
- Adobe Experience Manager LTS SP1
- Adobe Experience Manager 2026.04 and earlier (including AEM Cloud Service)
Discovery Timeline
- 2026-06-09 - CVE-2026-47945 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-47945
Vulnerability Analysis
The flaw is a stored XSS issue in form-field handling within Adobe Experience Manager. AEM accepts attacker-controlled input through form fields but fails to neutralize script content before persisting and later rendering it in the browser context of other users. Because the payload is stored server-side, any subsequent visitor to the affected page triggers script execution without further attacker interaction beyond the initial injection.
The CVSS vector records that the attack requires user interaction and only low privileges, and that exploitation changes scope. A changed scope indicates the injected script executes in a security context different from the vulnerable component, allowing the attacker to reach data or functionality outside the component boundary. Confidentiality and integrity impacts are limited, and availability is not affected.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. AEM does not consistently encode or sanitize user-supplied data written into form-field values before storage or output. When the field is rendered, the browser parses the attacker payload as executable JavaScript rather than inert text.
Attack Vector
An attacker authenticates to AEM with a low-privileged account that can edit or submit form content. The attacker injects a JavaScript payload into a vulnerable form field. A second user, often a content author or site visitor with higher privileges, loads the page rendering the field. The script then runs in the victim's browser, where it can read cookies, exfiltrate session tokens, perform authenticated actions, or pivot into the AEM author environment.
No verified public proof-of-concept code is available for CVE-2026-47945. See the Adobe Security Advisory APSB26-56 for vendor-supplied technical context.
Detection Methods for CVE-2026-47945
Indicators of Compromise
- Form field values in the AEM JCR repository containing <script>, javascript:, onerror=, or onload= substrings.
- Unexpected outbound requests from author or publish instances to attacker-controlled domains after a content author loads a page.
- Anomalous session token reuse from IP addresses that did not perform the original login.
- AEM access logs showing POST requests to form submission endpoints from low-privileged accounts followed by GET traffic from privileged users on the same content path.
Detection Strategies
- Audit JCR nodes that store form-field values for HTML or JavaScript control characters that should have been encoded.
- Deploy a Content Security Policy (CSP) in report-only mode and review violation reports for inline script execution on AEM-served pages.
- Correlate authentication events for low-privileged AEM users with content modification events on form components.
- Inspect Dispatcher and CDN logs for unusual response sizes or payloads on rendered form pages.
Monitoring Recommendations
- Enable verbose audit logging on AEM author instances for content creation, modification, and replication activities.
- Forward AEM, Dispatcher, and web application firewall logs to a central analytics platform for cross-source correlation.
- Alert on CSP violations and on responses containing reflected or stored markup that breaks the expected output encoding.
- Review service-account and contributor-role activity weekly for unexpected edits to form components.
How to Mitigate CVE-2026-47945
Immediate Actions Required
- Apply the security updates referenced in Adobe Security Advisory APSB26-56 to all AEM author and publish instances.
- Inventory accounts with content-authoring privileges and disable any that are unused or unattributed.
- Audit existing form components for stored payloads before reopening authoring workflows to all users.
- Force session invalidation for AEM users after patching to revoke any tokens potentially captured through stored XSS.
Patch Information
Adobe has released fixed builds for AEM 6.5, AEM LTS, and AEM Cloud Service. Refer to Adobe Security Advisory APSB26-56 for the specific service-pack and cumulative-fix-pack versions that remediate CVE-2026-47945. AEM Cloud Service customers receive the fix through the standard release channel.
Workarounds
- Restrict form-authoring permissions to vetted users until patches are deployed across all environments.
- Enforce a strict Content Security Policy that disallows inline script and limits script sources to trusted origins.
- Configure AEM Dispatcher rules to filter request parameters containing script tags or event-handler attributes on form submission paths.
- Enable HttpOnly and Secure flags on AEM session cookies to reduce the impact of script-based token theft.
# Example CSP header configuration for AEM Dispatcher (httpd)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; report-uri /csp-report"
Header always set X-Content-Type-Options "nosniff"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
