CVE-2025-46855: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on June 10, 2025, and was assigned by Adobe Systems Incorporated. This security issue affects Adobe Experience Manager installations up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, low privileges required, and user interaction required (NVD, Wiz).

When successfully exploited, the vulnerability allows malicious JavaScript to be executed in a victim's browser when they browse to the page containing the vulnerable field. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks (Wiz).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations are advised to upgrade their Adobe Experience Manager installations to the latest version to mitigate this security risk (Wiz).