CVE-2025-46885: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on June 10, 2025, affecting both standard Experience Manager installations and AEM Cloud Service versions up to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The weakness is identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields (NVD).

When exploited, this vulnerability allows malicious JavaScript to be executed in a victim's browser when they browse to a page containing the vulnerable field. The impact is considered medium severity with potential for information disclosure and limited system compromise (Wiz).

Users should upgrade to versions newer than Adobe Experience Manager 6.5.22 or AEM Cloud Service version 2025.5.0 to address this vulnerability (Wiz).