CVE-2025-46922: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on April 30, 2025, affecting multiple versions of Adobe Experience Manager, including the AEM Cloud Service versions up to 2025.5.0 (NVD Database, CVE MITRE).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 5.4 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, user interaction requirement, and potential for both confidentiality and integrity impacts (NVD Database).

The vulnerability allows low-privileged attackers to inject malicious scripts into vulnerable form fields. When victims browse to pages containing the compromised fields, malicious JavaScript code can be executed in their browsers, potentially leading to unauthorized data access or manipulation (NVD Database).

Adobe has addressed this vulnerability in versions after 6.5.22 for standard installations and in version 2025.5.0 for AEM Cloud Service. Users are advised to update to the latest version to mitigate this security risk (NVD Database).