CVE-2025-64791 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When other users access the affected pages containing the injected scripts, the malicious code executes within their browsers under the context of the vulnerable AEM site. This can lead to unauthorized actions such as session hijacking, credential theft, or manipulation of displayed content, impacting confidentiality and integrity. The vulnerability requires the attacker to have some level of access to submit data (low privilege) and relies on user interaction to trigger the script execution. The CVSS 3.1 base score of 5.4 reflects these factors: network attack vector, low attack complexity, low privileges required, user interaction needed, and a scope change due to the script running in the victim's browser context. No public exploits have been reported yet, but the vulnerability is publicly disclosed and considered medium severity. Adobe Experience Manager is widely used by enterprises for managing digital content and customer experiences, making this vulnerability significant for organizations relying on AEM for their web presence. The lack of available patches at the time of disclosure increases the urgency for interim mitigations.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user data and sessions when interacting with AEM-powered websites or portals. Attackers exploiting this flaw could execute arbitrary scripts in the browsers of users, potentially leading to theft of authentication tokens, redirection to malicious sites, or unauthorized actions performed on behalf of users. Organizations handling sensitive customer or internal data through AEM are particularly vulnerable to reputational damage and regulatory consequences under GDPR if user data is compromised. Public-facing AEM instances used by government, financial, healthcare, or e-commerce sectors in Europe could be targeted to disrupt services or steal information. Although availability impact is not indicated, the potential for widespread user impact and data leakage makes this a significant concern. The medium severity rating suggests a moderate but tangible risk that requires timely attention to prevent exploitation.

1. Monitor Adobe's official channels for patches addressing CVE-2025-64791 and apply them promptly once released. 2. Implement strict input validation and output encoding on all form fields within AEM to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. 4. Conduct regular security audits and penetration testing focused on web application vulnerabilities, especially XSS, within AEM environments. 5. Restrict user privileges to the minimum necessary to reduce the risk of low-privileged attackers injecting malicious content. 6. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with untrusted content. 7. Use web application firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting AEM. 8. Review and harden AEM configurations to disable or limit features that allow user-generated content where feasible. These steps collectively reduce the attack surface and mitigate the risk until official patches are applied.