CVE-2025-46975: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-46975. The vulnerability was discovered and initially recorded on April 30, 2025, and subsequently published to the National Vulnerability Database (NVD) on June 10, 2025. This security issue affects both standard AEM installations up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD, Wiz).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79: Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, and user interaction (NVD, Wiz).

When exploited, this vulnerability enables malicious JavaScript execution in victims' browsers when they access pages containing compromised form fields. The impact is characterized by low confidentiality and integrity breaches, with no effect on availability (Wiz).

Adobe has addressed this vulnerability by releasing version 6.5.23.0 for standard AEM installations and version 2025.5.0 for AEM Cloud Service. Users are advised to update to these or later versions to mitigate the vulnerability (Wiz).