CVE-2025-46865: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that was discovered and published on June 10, 2025. The vulnerability affects both standard AEM installations and AEM Cloud Service versions up to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that allows malicious script injection into vulnerable form fields. The CVSS v3.1 base score is 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with impacts on confidentiality and integrity but not availability (NVD).

When exploited, the vulnerability allows malicious JavaScript to be executed in a victim's browser when they browse to a page containing the compromised form field. The attack requires low privileges to execute, making it accessible to a wider range of potential attackers (Wiz).

Adobe has addressed this vulnerability in versions after 6.5.22 and in AEM Cloud Service versions after 2025.5.0. Users are advised to upgrade to the latest version to mitigate this security risk (Adobe Advisory).