CVE-2025-46987: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and reported to Adobe Systems Incorporated, with the CVE ID CVE-2025-46987 being assigned on April 30, 2025, and publicly disclosed on June 10, 2025 (CVE, NVD).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that affects form fields within Adobe Experience Manager. The CVSS v3.1 base score is 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires low attack complexity, requires low privileges to exploit, and needs user interaction (NVD, Wiz).

When exploited, this vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields. When victims browse to the page containing the compromised field, the malicious JavaScript executes in their browser, potentially leading to unauthorized data access or manipulation of the user's session (NVD).

Adobe has addressed this vulnerability in versions after 6.5.22. Organizations running affected versions should upgrade to the latest version. The vulnerability affects both on-premise installations up to version 6.5.22 and AEM Cloud Service versions prior to 2025.5.0 (NVD).