CVE-2025-46837: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was initially discovered and reported to Adobe Systems Incorporated, with the CVE record created on April 30, 2025, and subsequently published to the National Vulnerability Database on June 10, 2025 (NVD).

The vulnerability allows a low privileged attacker to inject malicious scripts into vulnerable form fields within Adobe Experience Manager. When a victim browses to the page containing the vulnerable field, malicious JavaScript may be executed in their browser. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.7 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, indicating network accessibility, low attack complexity, and high impact on confidentiality and integrity (NVD, Wiz).

A successful exploitation of this vulnerability can lead to session takeover, with high impact on both confidentiality and integrity. The vulnerability affects both the cloud service version and on-premises deployments of Adobe Experience Manager (Wiz).

Adobe has released security updates to address this vulnerability. Users are advised to update to Adobe Experience Manager versions after 6.5.22 or AEM Cloud Service versions after 2025.5.0 (Wiz).