CVE-2025-47091 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM environment. When a victim subsequently accesses the affected page containing the injected script, the malicious code executes in their browser context. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is saved on the server and served to multiple users, increasing the attack surface and potential impact. The vulnerability requires low privileges to exploit but does require user interaction, as the victim must visit the compromised page for the script to execute. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, the attack complexity is low, privileges required are low, user interaction is required, and the scope is changed, meaning the vulnerability affects components beyond the vulnerable module. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations using affected versions should be vigilant and prepare to apply updates once available. Stored XSS in AEM can lead to session hijacking, credential theft, defacement, or distribution of malware, impacting users and organizational reputation.

For European organizations using Adobe Experience Manager, this vulnerability poses a significant risk to web application security and user trust. A successful exploit could allow attackers to execute arbitrary scripts in the browsers of employees, customers, or partners, potentially leading to theft of sensitive information such as authentication tokens, personal data, or internal communications. This can result in unauthorized access to corporate resources or further lateral movement within the network. Additionally, the exploitation of stored XSS can facilitate phishing campaigns or malware distribution, amplifying the threat. Given the widespread use of AEM in enterprise content management and digital experience platforms across Europe, especially in sectors like government, finance, and retail, the impact could be substantial. The medium severity rating suggests that while the vulnerability is not critical, it still warrants prompt attention to prevent exploitation that could undermine confidentiality and integrity of data and systems.

European organizations should implement the following specific mitigation strategies: 1) Immediately audit all AEM instances to identify versions 6.5.22 and earlier and prioritize upgrading to the latest patched version once Adobe releases it. 2) In the interim, apply strict input validation and output encoding on all form fields within AEM to prevent malicious script injection. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing AEM content. 4) Conduct thorough security testing, including automated scanning and manual penetration testing focused on XSS vectors in AEM forms and components. 5) Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content hosted on AEM portals. 6) Monitor web server and application logs for unusual activity or repeated attempts to inject scripts. 7) Use web application firewalls (WAFs) with updated rules to detect and block XSS payloads targeting AEM. These targeted measures go beyond generic advice by focusing on immediate risk reduction and preparing for patch deployment.