CVE-2025-46858: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and published on June 10, 2025, and was assigned CVE-2025-46858. This security flaw affects Adobe Experience Manager installations up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79). It received a CVSS v3.1 Base Score of 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with impacts on confidentiality and integrity but not availability (NVD, Wiz).

The vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields. When victims browse to the page containing the compromised field, malicious JavaScript may be executed in their browsers, potentially leading to unauthorized data access or manipulation (NVD).

Adobe has released version 6.5.23.0 for Adobe Experience Manager and version 2025.5.0 for AEM Cloud Service to address this vulnerability. Users are advised to update to these versions or later to mitigate the risk (NVD).