CVE-2025-46860: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and initially reported on April 30, 2025, with public disclosure occurring on June 10, 2025. This security flaw affects both standard AEM installations and AEM Cloud Service versions (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79). It has received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability is network accessible, requires low attack complexity and low privileges, needs user interaction, and has the potential for both confidentiality and integrity impacts (Wiz, NVD).

When successfully exploited, the vulnerability enables malicious JavaScript execution in a victim's browser when they navigate to a page containing the compromised field. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks (Wiz).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations are advised to update their Adobe Experience Manager installations to the latest version. The fix is available for both standard installations and AEM Cloud Service versions (Wiz).