CVE-2025-47114 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields within AEM, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses the affected page containing the injected script, the malicious code executes in their browser context. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4, reflecting medium severity, with an attack vector of network (remote exploitation), low attack complexity, requiring low privileges, and user interaction (victim must visit the compromised page). The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity, as the attacker can execute arbitrary scripts potentially stealing session tokens, performing actions on behalf of the user, or defacing content. Availability is not impacted. No known exploits are reported in the wild yet, and no patches are linked in the provided data, indicating organizations should prioritize remediation once available. Stored XSS in a widely used enterprise content management system like AEM is significant because it can be leveraged for targeted attacks against users with elevated privileges or customers accessing published content. The vulnerability’s exploitation requires the attacker to have some level of access to submit data to vulnerable forms, but no administrative privileges are necessary, increasing the attack surface. The persistent nature of stored XSS makes it more dangerous than reflected XSS, as the malicious payload remains active until removed.

For European organizations using Adobe Experience Manager, this vulnerability poses a risk of unauthorized script execution in the browsers of employees, partners, or customers accessing affected web pages. This can lead to session hijacking, credential theft, unauthorized actions performed with the victim’s privileges, and potential data leakage. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that rely on AEM for content management and digital experience delivery could face reputational damage, regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and operational disruptions. Since AEM is often used to manage public-facing websites and intranets, the attack could be leveraged for phishing campaigns or to distribute malware. The medium severity score indicates moderate risk, but the real-world impact depends on the deployment context, user roles, and the sensitivity of the data accessible through the affected pages. The requirement for user interaction (visiting the malicious page) means social engineering or targeted phishing could be used to maximize impact.

1. Immediate mitigation should include reviewing and restricting user input on all form fields in AEM to ensure proper input validation and output encoding, especially for HTML and JavaScript contexts. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing AEM content. 3. Monitor and audit logs for unusual input submissions or anomalous user behavior indicative of attempted exploitation. 4. Educate users about the risks of clicking unknown or suspicious links that may lead to malicious AEM pages. 5. Apply vendor patches or updates as soon as Adobe releases them for this vulnerability. 6. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. 7. Conduct regular security assessments and penetration testing focused on input validation and stored XSS vectors within AEM deployments. 8. Limit the privileges of users who can submit data to vulnerable forms to reduce the attack surface. 9. Sanitize and review existing stored content in AEM to identify and remove any malicious scripts that may have been injected prior to patching.