CVE-2025-47006: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-47006. The vulnerability was first published on June 10, 2025, and was discovered and reported by Adobe Systems Incorporated. This security flaw allows low-privileged attackers to inject malicious scripts into vulnerable form fields (NVD CVE, MITRE CVE).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79). It received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, requires user interaction, can change scope, and can impact both confidentiality and integrity at a low level, with no impact on availability (Wiz Analysis).

When victims browse to a page containing the compromised field, the malicious JavaScript code can be executed in their browser, potentially leading to unauthorized data access or manipulation. The vulnerability affects both confidentiality and integrity at a low level, while having no impact on system availability (NVD CVE).

Adobe has acknowledged the vulnerability and users are advised to upgrade to versions newer than 6.5.22 when available. The vulnerability affects Adobe Experience Manager versions 6.5.22 and earlier (Adobe Security).