CVE-2025-46838 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim subsequently accesses the affected page containing the vulnerable form field, the malicious script executes in their browser context. This DOM-based XSS attack can lead to the theft of session cookies, user impersonation, unauthorized actions on behalf of the victim, or the delivery of further malware payloads. The vulnerability requires the attacker to have some level of access to submit data (low privilege) and requires user interaction (victim visiting the compromised page). The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and partial impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using Adobe Experience Manager, this vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions and data. A successful exploit could allow attackers to hijack user sessions, steal sensitive information, or perform unauthorized actions within the context of the victim’s privileges. This is particularly concerning for organizations that use AEM to manage customer-facing portals, intranets, or internal applications where sensitive personal or corporate data is handled. The persistent nature of stored XSS increases the risk of widespread impact if attackers inject scripts that affect multiple users. Although availability is not impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be significant. The requirement for user interaction and low privilege reduces the ease of exploitation but does not eliminate risk, especially in environments with many users or where social engineering can be leveraged.

Organizations should prioritize applying any forthcoming official patches from Adobe as soon as they become available. In the interim, they should conduct a thorough audit of all form fields and input points within their AEM instances to identify and sanitize inputs rigorously, employing context-aware output encoding to prevent script injection. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Regularly review user privileges to minimize the number of users with the ability to submit data that could be exploited. Employ web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM. Additionally, educate users about the risks of clicking on suspicious links or interacting with untrusted content within the AEM environment. Monitoring logs for unusual input patterns or script injections can help detect exploitation attempts early.