CVE-2025-46842: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. The vulnerability was discovered and disclosed in June 2025, affecting Adobe Experience Manager installations up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79). It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The technical assessment indicates that the vulnerability requires low attack complexity and low privileges, but user interaction is required for successful exploitation (NVD).

When exploited, the vulnerability allows malicious JavaScript to be executed in a victim's browser when they browse to the page containing the vulnerable field. This can lead to unauthorized access to sensitive information and potential manipulation of user data within the affected Adobe Experience Manager installations (NVD).

Adobe has addressed this vulnerability in Adobe Experience Manager version 6.5.23.0 and AEM Cloud Service version 2025.5.0. Users are advised to update their installations to these versions or later to mitigate the risk (NVD).