CVE-2025-64803 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious scripts are permanently stored on target servers, such as within form fields, and later executed in the browsers of users who access the affected content. In this case, a low-privileged attacker can inject arbitrary JavaScript code into vulnerable input fields within AEM. When other users browse pages containing these fields, the malicious script executes in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deface content. The vulnerability requires the attacker to have some level of access to submit data (low privileges), and user interaction is necessary for exploitation since victims must visit the compromised page. The CVSS 3.1 score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, low privileges required, and user interaction needed. The impact affects confidentiality and integrity but not availability. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. Adobe Experience Manager is widely used by enterprises for web content management and digital experience delivery, making this vulnerability significant for organizations relying on AEM for their web presence. The vulnerability stems from insufficient input validation and output encoding in form fields, allowing script injection. Attackers exploiting this flaw could hijack user sessions, steal sensitive information, or manipulate displayed content, undermining user trust and organizational reputation.

For European organizations using Adobe Experience Manager, this vulnerability poses risks primarily to the confidentiality and integrity of user data and web content. Exploitation could lead to session hijacking, unauthorized actions performed under a victim’s credentials, theft of sensitive information, and defacement of websites. This can result in reputational damage, loss of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. Since AEM is often used by government agencies, financial institutions, and large enterprises in Europe, the impact could be significant in sectors handling sensitive or regulated data. The vulnerability does not affect system availability directly but could be leveraged as part of broader attack campaigns. The requirement for user interaction and low privilege reduces the ease of exploitation but does not eliminate risk, especially in environments with many users or public-facing portals. Organizations with extensive web presence and customer interaction through AEM are at higher risk of targeted attacks leveraging this vulnerability.

European organizations should immediately assess their Adobe Experience Manager deployments to identify affected versions (6.5.23 and earlier). Although no official patches are listed yet, organizations should apply any Adobe security updates as soon as they become available. In the interim, implement strict input validation and output encoding on all form fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges to the minimum necessary, especially for users who can submit data to vulnerable forms. Conduct regular security audits and penetration testing focusing on XSS vulnerabilities. Educate users and administrators about the risks of clicking on suspicious links or submitting untrusted data. Monitor web traffic and logs for unusual activity that may indicate exploitation attempts. Consider deploying web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense.