CVE-2025-46956: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-46956. The vulnerability was discovered and disclosed on June 10, 2025. This security issue affects the form field functionality within AEM installations (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79). It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability requires network access, has low attack complexity, requires low privileges and user interaction, with a changed scope and low impact on confidentiality and integrity (NVD, Wiz).

When successfully exploited, the vulnerability allows malicious JavaScript execution in a victim's browser when they navigate to pages containing compromised form fields. The vulnerability affects both confidentiality and integrity at a low level, while having no impact on system availability (NVD).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations are advised to upgrade to the latest version of Adobe Experience Manager to mitigate this security risk (NVD).