CVE-2025-46872: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that was discovered and disclosed on June 10, 2025. The vulnerability affects both standard deployments up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD CVE, Wiz Report).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) with a CVSS v3.1 Base Score of 5.4 (Medium). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), and requires user interaction (UI:R). The scope is changed (S:C), with low impacts on confidentiality (C:L) and integrity (I:L), but no impact on availability (A:N) (NVD CVE).

If successfully exploited, the vulnerability allows malicious JavaScript to be executed in a victim's browser when they browse to a page containing the vulnerable field. This can lead to unauthorized access to sensitive information and potential manipulation of web content within the context of the affected application (NVD CVE).

Adobe has addressed this vulnerability in Experience Manager version 6.5.23.0 and AEM Cloud Service version 2025.5.0. Users are advised to update to these or later versions to mitigate the risk (NVD CVE).