CVE-2025-46878: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-46878. The vulnerability was discovered and reported on June 10, 2025, affecting both on-premise installations of AEM up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD CVE, MITRE CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) that allows attackers with low privileges to inject malicious scripts into vulnerable form fields. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires network access, low attack complexity, low privileges, and user interaction (NVD CVE).

When exploited, the vulnerability allows malicious JavaScript code to be executed in victims' browsers when they visit pages containing the compromised form fields. This can lead to unauthorized access to user data and potential manipulation of browser content (NVD CVE).

Adobe has addressed this vulnerability by releasing Experience Manager version 6.5.23.0 and AEM Cloud Service version 2025.5.0. Users are strongly advised to upgrade to these or later versions to mitigate the risk (NVD CVE).