CVE-2025-46977: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-46977. The vulnerability was discovered and reported to Adobe Systems Incorporated, with the initial CVE record being created on April 30, 2025, and published to the NVD on June 10, 2025 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) that affects form fields within Adobe Experience Manager. It has received a CVSS v3.1 base score of 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with potential impacts on confidentiality and integrity (NVD, Wiz).

When exploited, this vulnerability allows malicious JavaScript execution in a victim's browser when they navigate to a page containing the compromised field. The impact is considered medium severity, with potential consequences affecting both confidentiality and integrity of the system, though there is no impact on availability (NVD).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations running affected versions should upgrade to the latest version of Adobe Experience Manager to mitigate this security risk (Vendor Advisory).