CVE-2025-46935: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and initially recorded on April 30, 2025, with public disclosure occurring on June 10, 2025. This security issue affects Adobe Experience Manager installations, including both the standard version up to 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that could be exploited by attackers with low privileges. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates network accessibility, low attack complexity, required low privileges, and necessary user interaction (NVD, Wiz).

When successfully exploited, the vulnerability enables malicious JavaScript code execution in a victim's browser when they navigate to a page containing the compromised field. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks (Wiz).

Adobe has addressed this vulnerability by releasing Adobe Experience Manager version 6.5.23.0 and AEM Cloud Service version 2025.5.0. Users are strongly advised to update to these versions or later to mitigate the vulnerability (Wiz).