CVE-2025-46864: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2025-46864 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier, including both on-premise installations and AEM Cloud Service versions prior to 2025.5.0. The vulnerability was disclosed on June 10, 2025 (NVD, Wiz).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) that allows malicious script injection into vulnerable form fields. It has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction for successful exploitation (NVD).

When successfully exploited, the vulnerability enables malicious JavaScript execution in a victim's browser when they navigate to a page containing the compromised field. This can potentially lead to unauthorized access to sensitive browser-based information and manipulation of the user's session (Wiz).

Adobe has addressed this vulnerability by releasing patches in Experience Manager version 6.5.23.0 and AEM Cloud Service version 2025.5.0. Users are strongly advised to upgrade to these or later versions to mitigate the risk (Wiz).