CVE-2025-46879: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-46879. The vulnerability was initially discovered and reported to Adobe Systems Incorporated, with the CVE record being created on April 30, 2025. This security issue affects both on-premises installations of AEM up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD NIST).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) and has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires low privileges to exploit and involves user interaction, with the attack complexity being rated as low (NVD NIST, Wiz).

When successfully exploited, this vulnerability allows malicious JavaScript execution in victims' browsers when they navigate to pages containing the compromised form fields. The impact is considered medium severity, affecting both the confidentiality and integrity of the system, though availability remains unaffected (Wiz).

Adobe has addressed this vulnerability in versions after 6.5.22. Users are strongly advised to upgrade to the latest version of Adobe Experience Manager to mitigate this security risk (Wiz).