CVE-2025-46916: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2025-46916 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier, discovered and disclosed on June 10, 2025. The vulnerability affects both AEM on-premise installations and AEM Cloud Service versions (NVD, Wiz).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to inject malicious scripts into vulnerable form fields. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, low privileges required, user interaction required, and potential for both confidentiality and integrity impacts (NVD).

When successfully exploited, malicious JavaScript code can be executed in a victim's browser when they browse to the page containing the vulnerable field. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks (Wiz).

Adobe has released security updates to address this vulnerability. Users are advised to update to Adobe Experience Manager version 6.5.23.0 or later for on-premise installations, and version 2025.5.0 or later for AEM Cloud Service (Wiz).