CVE-2025-46939: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-46939. The vulnerability was initially discovered and reported to Adobe Systems Incorporated, with the CVE record being created on April 30, 2025, and subsequently published to the National Vulnerability Database on June 10, 2025 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, user interaction, and potential for limited confidentiality and integrity impacts (Wiz).

When successfully exploited, the vulnerability enables malicious JavaScript execution in a victim's browser when they navigate to the page containing the vulnerable field. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks within the context of the affected Adobe Experience Manager installation (NVD).

Adobe has released security updates to address this vulnerability. Users are advised to update to Adobe Experience Manager version 6.5.23.0 or later. For AEM Cloud Service users, updating to version 2025.5.0 or later is recommended (NVD).