CVE-2025-46979: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-46979. The vulnerability was discovered and disclosed on June 10, 2025, and was last modified in the National Vulnerability Database on June 13, 2025 (NVD, CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is characterized as CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, user interaction requirement, and potential for both confidentiality and integrity impacts (NVD).

When exploited, this vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields. When victims browse to the page containing the compromised field, malicious JavaScript may be executed in their browser, potentially leading to unauthorized data access or manipulation (NVD).

Adobe has addressed this vulnerability in versions after 6.5.22 for the standard installation and in versions after 2025.5.0 for AEM Cloud Service (NVD, Adobe Advisory).