CVE-2025-46954: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that was discovered and published on June 10, 2025. The vulnerability has been assigned the identifier CVE-2025-46954 and affects Adobe Experience Manager's form field functionality (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is characterized as CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires network access, low attack complexity, low privileges, and user interaction, with a changed scope and low impact on confidentiality and integrity (NVD, Wiz).

When exploited, this vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields. The injected JavaScript code can be executed in a victim's browser when they navigate to the page containing the compromised field (NVD).

Adobe has addressed this vulnerability in versions after 6.5.22. Users are advised to upgrade their Adobe Experience Manager installations to the latest version to mitigate this security risk (NVD).