CVE-2025-46866: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on June 10, 2025, and was assigned CVE-2025-46866. This security issue affects both Adobe Experience Manager installations up to version 6.5.22 and AEM Cloud Service versions up to 2025.5.0 (NVD CVE, Wiz Report).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) with a CVSS v3.1 Base Score of 5.4 (Medium). The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, user interaction, and potential for both confidentiality and integrity impacts (NVD CVE).

When exploited, this vulnerability allows malicious JavaScript to be executed in a victim's browser when they browse to a page containing the vulnerable field. The impact is considered medium severity due to the potential for unauthorized script execution in the context of the victim's browser session (Wiz Report).

Adobe has addressed this vulnerability in Experience Manager versions after 6.5.22 and AEM Cloud Service versions after 2025.5.0. Users are advised to upgrade to the latest version to mitigate this security risk (NVD CVE).