CVE-2025-46948: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and assigned CVE-2025-46948 on April 30, 2025. This security issue affects form fields within the Adobe Experience Manager platform (NVD, Wiz).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) affecting form fields within Adobe Experience Manager. It has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, and needs user interaction, with impacts on both confidentiality and integrity but not availability (NVD, Wiz).

When successfully exploited, this vulnerability enables attackers to inject malicious scripts into vulnerable form fields. The injected JavaScript code can be executed in victims' browsers when they visit the page containing the compromised field, potentially leading to data theft and manipulation of user interactions within the affected AEM instances (Wiz).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations running affected versions should upgrade to the latest version of Adobe Experience Manager to mitigate the risk (Wiz).