CVE-2025-46985: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2025-46985 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.22 and earlier, including AEM Cloud Service versions up to 2025.5.0. The vulnerability was discovered and disclosed on June 10, 2025. This security issue affects both standard AEM installations and cloud service deployments (NVD, Wiz).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) with a CVSS v3.1 base score of 5.4 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires network access, has low attack complexity, requires low privileges, and needs user interaction. The vulnerability affects confidentiality and integrity but not availability (NVD, Wiz).

When successfully exploited, this vulnerability allows attackers with low privileges to inject malicious scripts into vulnerable form fields. These injected scripts can be executed in victims' browsers when they access the page containing the compromised field, potentially leading to unauthorized data access or manipulation of the user's session (NVD).

Adobe has addressed this vulnerability by releasing patches in versions after 6.5.22 for standard installations and in versions after 2025.5.0 for AEM Cloud Service. Users are strongly advised to update to the latest version to mitigate this security risk (NVD).