CVE-2025-46996: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-46996. The vulnerability was discovered and disclosed on July 24, 2025, affecting Adobe Experience Manager's form field functionality (NVD).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue that can be exploited by attackers with low privileges. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The weakness is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If successfully exploited, the vulnerability allows malicious JavaScript code to be executed in a victim's browser when they browse to a page containing the compromised form field. This can lead to unauthorized access to user data and potential session hijacking (NVD).

Adobe has addressed this vulnerability in their security advisory APSB25-48. Users are advised to update their Adobe Experience Manager installations to the latest version that includes the security fix (Adobe Systems).