CVE-2025-46960: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-46960). The vulnerability was discovered and disclosed on June 10, 2025, affecting Adobe Experience Manager installations including both on-premises deployments up to version 6.5.22 and cloud service versions prior to 2025.5.0 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79: Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, and necessary user interaction (NVD, Wiz).

When exploited, this vulnerability allows attackers to inject malicious scripts into vulnerable form fields, which can then be executed in a victim's browser when they browse to the page containing the vulnerable field. The impact is limited to low confidentiality and integrity breaches, with no impact on availability (NVD).

Users should upgrade to versions newer than Adobe Experience Manager 6.5.22 or cloud service version 2025.5.0 and later to address this vulnerability (NVD).