CVE-2025-46873: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on June 10, 2025, affecting both on-premises deployments up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) that allows malicious script injection into vulnerable form fields. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires network access, low attack complexity, low privileges, and user interaction for successful exploitation (NVD, Wiz).

When successfully exploited, the vulnerability enables malicious JavaScript execution in victims' browsers when they navigate to pages containing the compromised form fields. The impact is considered moderate as it requires low privileges to exploit and can lead to unauthorized script execution in users' browsers (NVD).

Adobe has released security updates to address this vulnerability. Users are advised to upgrade to Adobe Experience Manager version 6.5.23.0 or later for on-premises deployments, or to version 2025.5.0 or later for AEM Cloud Service installations (NVD).