CVE-2025-46900: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2025-46900 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. The vulnerability was discovered and initially published to the National Vulnerability Database (NVD) on June 10, 2025 (NVD).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that could be exploited by an attacker with low privileges. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, and user interaction, with impacts to confidentiality and integrity but not availability (Wiz).

When exploited, this vulnerability allows attackers to inject malicious scripts into vulnerable form fields within the Adobe Experience Manager system. When victims browse to the page containing the compromised field, the malicious JavaScript executes in their browsers, potentially leading to unauthorized access to user data and session hijacking (NVD).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations using affected versions of Adobe Experience Manager should upgrade to the latest version to mitigate this security risk (Wiz).