Adobe Experience Manager Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Adobe Experience Manager.
Recent Adobe Experience Manager Security Advisories
| Advisory | Title | Published |
|---|---|---|
| APSB26-34 | Security updates available for Adobe Experience Manager Screens | APSB26-34 | April 14, 2026 |
| APSB26-24 | Security updates available for Adobe Experience Manager | APSB26-24 | March 10, 2026 |
| APSB25-115 | Security updates available for Adobe Experience Manager | APSB25-115 | December 9, 2025 |
| APSB25-98 | Security updates available for Adobe Experience Manager Screens | APSB25-98 | October 14, 2025 |
| APSB25-90 | Security updates available for Adobe Experience Manager | APSB25-90 | September 9, 2025 |
| APSB25-82 | Security updates available for Adobe Experience Manager | APSB25-82 | August 5, 2025 |
| APSB25-68 | Security updates available for Adobe Experience Manager Screens | APSB25-68 | July 8, 2025 |
| APSB25-67 | Security updates available for Adobe Experience Manager | APSB25-67 | July 8, 2025 |
| APSB25-48 | Security updates available for Adobe Experience Manager | APSB25-48 | June 10, 2025 |
| APSB25-32 | Security updates available for Adobe Experience Manager Screens | APSB25-32 | April 8, 2025 |
By the Year
In 2026 there have been 42 vulnerabilities in Adobe Experience Manager with an average score of 5.4 out of ten. Last year, in 2025 Experience Manager had 368 security vulnerabilities published. Right now, Experience Manager is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.07
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 42 | 5.40 |
| 2025 | 368 | 5.47 |
| 2024 | 315 | 5.36 |
| 2023 | 218 | 5.41 |
| 2022 | 57 | 5.52 |
| 2021 | 12 | 6.76 |
| 2020 | 24 | 7.57 |
| 2019 | 20 | 6.10 |
| 2018 | 16 | 6.41 |
It may take a day or so for new Experience Manager vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe Experience Manager Security Vulnerabilities
Adobe Experience Manager 6.5.x FP11.7 DOM XSS
CVE-2026-34625
5.4 - Medium
- April 14, 2026
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.
XSS
Adobe Experience Manager 6.5.24 FP11.7 DOM XSS before 6.5.25
CVE-2026-34623
5.4 - Medium
- April 14, 2026
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page.
XSS
AEM 6.5.24/FP11.7 DOM XSS via crafted page
CVE-2026-34624
5.4 - Medium
- April 14, 2026
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.
XSS
Adobe Experience Manager 6.5.24/FP11.7 DOM-XSS Vulnerability
CVE-2026-27288
5.4 - Medium
- April 14, 2026
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.
XSS
Adobe Experience Manager <=6.5.23 XSS via Form Field Injection
CVE-2026-27241
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23 XSS in Form Fields (Low-Privileged Attack)
CVE-2026-27244
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <6.5.23 Stored XSS in Form Fields
CVE-2026-27255
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23- Stored XSS in Form Fields
CVE-2026-27251
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23-or-earlier: Stored XSS (fixed 6.5.24)
CVE-2026-27223
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23 XSS in form fields
CVE-2026-27262
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23- before 6.5.24: Stored XSS in form fields
CVE-2026-27263
- March 11, 2026
Experience Manager 6.5.23 Stored XSS via form fields
CVE-2026-27261
- March 11, 2026
Adobe Experience Manager 6.5.23 XSS via Form Fields
CVE-2026-27232
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe AEM <=6.5.23 XSS in form fields
CVE-2026-27249
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in form fields (6.5.23)
CVE-2026-27247
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 & earlier XSS via form fields
CVE-2026-27242
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23 Stored XSS in Form Fields
CVE-2026-27252
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <6.5.23 XSS in form fields
CVE-2026-27235
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <6.5.23: Stored XSS in Form Fields
CVE-2026-27225
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS via Form Fields before 6.5.23
CVE-2026-27260
- March 11, 2026
Adobe Experience Manager 6.5.23 Stored XSS in Form Fields
CVE-2026-27256
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <6.5.23 stored XSS in form fields
CVE-2026-27237
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 & <6.5.23 Stored XSS in Form Fields
CVE-2026-27265
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23 Stored XSS in Form Fields
CVE-2026-27233
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 and earlier XSS in form fields
CVE-2026-27236
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23: Stored XSS in Form Fields
CVE-2026-27240
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.x XSS via stored script in form fields (pre 6.5.23)
CVE-2026-27239
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23 XSS in Form Fields
CVE-2026-27234
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 Stored XSS in Form Fields
CVE-2026-27259
- March 11, 2026
XSS in Adobe Experience Manager 6.5.23 Form Fields - Stored Script Injection
CVE-2026-27231
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM Stored XSS in Form Fields before 6.5.23
CVE-2026-27264
- March 11, 2026
Adobe Experience Manager 6.5.23 and earlier: Stored XSS in form fields
CVE-2026-27230
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23 stored XSS in form fields
CVE-2026-27229
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Stored XSS in Adobe Experience Manager <=6.5.23
CVE-2026-27266
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 XSS in Form Fields
CVE-2026-27254
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in Form Fields (6.5.23)
CVE-2026-27228
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in form fields (6.5.23)
CVE-2026-27248
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM 6.5.23 & earlier XSS via stored form field injection
CVE-2026-27257
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS via Form Fields <6.5.23
CVE-2026-27226
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Expr. Manager <=6.5.23 Stored XSS in Form Fields
CVE-2026-27253
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Stored XSS in Adobe Experience Manager 6.5.23 Form Fields
CVE-2026-27224
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 Stored XSS in Form Fields
CVE-2026-27250
5.4 - Medium
- March 11, 2026
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM <=6.5.23: Stored XSS in form fields
CVE-2025-64622
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23: Stored XSS in form fields
CVE-2025-64582
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 & earlier: Stored XSS via Form Fields
CVE-2025-64547
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS via Form Fields (before 6.5.23)
CVE-2025-64613
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.23 or earlier: Stored XSS in form fields
CVE-2025-64833
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS via Stored Form Field <=6.5.23
CVE-2025-64829
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <6.5.23 Stored XSS in Form Fields
CVE-2025-64553
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.23 DOM XSS via Crafted URL
CVE-2025-64545
5.4 - Medium
- December 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Adobe Experience Manager or by Adobe? Click the Watch button to subscribe.
Adobe Experience Manager
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms
