CVE-2025-46861: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was initially discovered and reported to Adobe Systems Incorporated, with the CVE record being created on April 30, 2025, and publicly disclosed on June 10, 2025 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that affects form fields within Adobe Experience Manager. It has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability is network accessible, requires low attack complexity and low privileges, needs user interaction, and has the potential for both confidentiality and integrity impacts (NVD, Wiz).

When successfully exploited, the vulnerability enables malicious JavaScript execution in a victim's browser when they navigate to pages containing the compromised form fields. This can potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks within the context of the affected AEM installation (Wiz).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations are strongly advised to upgrade their Adobe Experience Manager installations to the latest version to mitigate this security risk (Wiz).