CVE-2025-64803 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious scripts are permanently stored on the target server, such as within form fields, and later executed in the browsers of users who access the affected content. In this case, a low-privileged attacker can inject JavaScript code into vulnerable form fields within AEM. When other users, potentially with higher privileges, view the compromised page, the malicious script executes in their browser context. This can lead to theft of session cookies, user impersonation, or redirection to malicious sites. The vulnerability requires the attacker to have at least low privileges to submit data and requires user interaction (visiting the affected page) for exploitation. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and low confidentiality and integrity impacts with no availability impact. No known exploits have been reported in the wild yet, but the vulnerability is publicly disclosed and should be considered a credible risk. Adobe has not yet provided a patch link, so organizations must rely on interim mitigations. Given AEM's widespread use in enterprise content management, this vulnerability poses a risk of client-side attacks that can facilitate further compromise or data leakage.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager to manage web content and customer interactions. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, theft of sensitive information such as credentials or personal data, and potential spread of malware via injected scripts. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches), and cause operational disruptions if attackers leverage the vulnerability for further attacks. Since AEM is often used by government agencies, financial institutions, and large enterprises in Europe, the risk extends to critical sectors. The medium CVSS score reflects moderate risk, but the real-world impact depends on the sensitivity of the affected applications and the user base exposed to the malicious scripts. The requirement for user interaction and low privileges reduces the ease of exploitation but does not eliminate the threat, especially in environments with many users and frequent content updates.

Organizations should immediately review and restrict access to vulnerable form fields in Adobe Experience Manager to minimize injection opportunities. Implement strict input validation and sanitization on all user-supplied data to prevent malicious script insertion. Apply comprehensive output encoding to ensure that any data rendered in web pages cannot be interpreted as executable code by browsers. Monitor logs and user activity for unusual form submissions or script execution patterns. Educate users to recognize suspicious behavior and avoid interacting with untrusted content. Where possible, isolate or sandbox affected AEM instances to limit exposure. Maintain regular backups of content and configurations to enable recovery if exploitation occurs. Stay alert for official Adobe patches or security advisories and apply updates promptly once available. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to AEM environments. Finally, conduct security assessments and penetration testing focused on web application vulnerabilities to identify and remediate similar issues proactively.