CVE-2025-47090 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim subsequently visits a page containing the compromised form field, the injected script executes in their browser context. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is saved on the server and delivered to multiple users, increasing the attack surface and potential impact. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), user interaction needed (UI:R), and scope changed (S:C). The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability’s exploitation requires a user to interact with the malicious content, but the attacker only needs low privileges to inject the payload, making it a credible threat in environments where multiple users access AEM-managed content or administrative interfaces.

For European organizations using Adobe Experience Manager, this vulnerability poses a risk of client-side script execution leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. Since AEM is widely used for managing corporate websites, intranets, and digital assets, exploitation could compromise sensitive business information or disrupt internal workflows. The stored nature of the XSS means that multiple users can be affected once the malicious script is injected, potentially leading to widespread impact within an organization. Confidentiality and integrity of user sessions and data are at risk, especially for organizations with multiple users accessing AEM content or administrative portals. This could also damage organizational reputation and lead to regulatory compliance issues under GDPR if personal data is compromised. The medium severity score reflects that while the attack requires user interaction, the low privilege requirement and network accessibility make it a realistic threat vector.

European organizations should prioritize the following mitigations: 1) Immediately review and restrict user input fields in AEM to ensure proper input validation and output encoding, especially on form fields that accept user-generated content. 2) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 3) Monitor and audit AEM logs for unusual input patterns or repeated form submissions that could indicate attempted exploitation. 4) Restrict AEM administrative and content management access to trusted users only, employing strong authentication and role-based access controls. 5) Regularly update AEM to the latest available versions once Adobe releases patches addressing this vulnerability. 6) Educate users to recognize suspicious content and avoid interacting with untrusted links or forms within AEM-managed sites. 7) Employ web application firewalls (WAFs) with rules tuned to detect and block common XSS payloads targeting AEM. These steps go beyond generic advice by focusing on proactive input validation, user access restrictions, and layered defenses tailored to the AEM environment.