CVE-2025-46972: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and reported to Adobe Systems Incorporated, with the CVE identifier CVE-2025-46972 being assigned on April 30, 2025, and publicly disclosed on June 10, 2025 (MITRE CVE, NVD CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79: Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, and user interaction (NVD CVE).

When exploited, this vulnerability allows attackers with low privileges to inject malicious scripts into vulnerable form fields. When victims browse to pages containing the compromised fields, the malicious JavaScript executes in their browsers, potentially leading to unauthorized data access or manipulation (NVD CVE).

Adobe has addressed this vulnerability in versions after 6.5.22. Users are advised to upgrade their Adobe Experience Manager installations to the latest version to mitigate this security risk (Adobe Advisory).