CVE-2025-46846: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and published on June 10, 2025, with the identifier CVE-2025-46846. This security flaw affects Adobe Experience Manager installations, including both on-premises deployments up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD, Vendor Advisory).

The vulnerability is classified as a stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 5.4 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low confidentiality (C:L) and integrity (I:L) impacts, and no availability impact (A:N) (NVD, Wiz).

When exploited, this vulnerability allows malicious JavaScript execution in a victim's browser when they browse to a page containing the vulnerable field. This could potentially lead to unauthorized access to user data and manipulation of web content (Wiz).

Adobe has released version 6.5.23.0 to address this vulnerability. Users are strongly advised to update to this version or later to mitigate the risk. For AEM Cloud Service users, updating to version 2025.5.0 or later is recommended (NVD).