CVE-2025-46874: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-46874. The vulnerability was discovered and disclosed on June 10, 2025, affecting both on-premises installations of AEM up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD Database, CVE Mitre).

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates network accessibility, low attack complexity, required low privileges, and necessary user interaction (NVD Database, Wiz Analysis).

If successfully exploited, this vulnerability enables the execution of malicious JavaScript content within the context of the victim's browser. The impact is considered moderate, with potential for information disclosure and limited system compromise through the execution of arbitrary JavaScript code in the user's browser session (NVD Database).

Adobe has released security updates to address this vulnerability. Users are recommended to upgrade to Adobe Experience Manager version 6.5.23.0 or later for on-premises installations, and to version 2025.5.0 or later for AEM Cloud Service deployments (NVD Database).