CVE-2025-47042 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user accesses a page containing the compromised form field, the injected script executes in their browser context. The vulnerability arises from insufficient input validation and output encoding in the handling of user-supplied data within the DOM, enabling persistent script injection. Because the attack vector is stored, the malicious payload remains on the server and affects all users who visit the infected page. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack can be launched remotely over the network (AV:N), requires low privileges (PR:L), and user interaction (UI:R) to trigger the script execution. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity moderately (C:L, I:L) but does not impact availability (A:N). No known exploits are currently reported in the wild, and no patches are listed yet, indicating that organizations using affected versions should prioritize mitigation and monitoring. The vulnerability is classified under CWE-79, which is a common and well-understood web application security weakness related to improper neutralization of input leading to XSS.

For European organizations using Adobe Experience Manager 6.5.22 or earlier, this vulnerability poses a risk of client-side script injection that can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim user. Given that AEM is widely used by enterprises and public sector organizations for content management and digital experience delivery, exploitation could compromise sensitive internal or customer data, damage organizational reputation, and lead to regulatory compliance issues under GDPR if personal data is exposed. The medium severity score reflects that while the vulnerability requires some user interaction and low privileges, the persistent nature of the stored XSS increases the attack surface and potential impact. Attackers could leverage this vulnerability to conduct targeted phishing campaigns or lateral movement within an organization’s web infrastructure. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as threat actors often develop exploits rapidly after disclosure. The impact on confidentiality and integrity is moderate, but the potential for cascading effects in complex enterprise environments elevates the concern for European organizations that rely heavily on AEM for digital services.

European organizations should immediately audit their Adobe Experience Manager deployments to identify affected versions (6.5.22 and earlier). Until an official patch is released, organizations should implement strict input validation and output encoding on all user-supplied data within AEM forms to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and harden user privilege assignments to minimize the number of users with permissions to submit or edit form data. Monitor web server and application logs for unusual input patterns or repeated form submissions that could indicate exploitation attempts. Conduct regular security testing, including automated scanning and manual penetration testing focused on XSS vectors. Educate users about the risks of clicking suspicious links or submitting data to untrusted sources. Once Adobe releases a patch, prioritize timely deployment in all affected environments. Additionally, consider implementing web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.