CVE-2025-46845 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields within AEM, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses a page containing the compromised form field, the malicious script executes in their browser context. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is needed to trigger the payload. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss, as the attacker can potentially steal session cookies, perform actions on behalf of the victim, or manipulate displayed content. There are no known exploits in the wild currently, and no patches have been linked yet. Stored XSS in AEM is particularly concerning because AEM is widely used by enterprises for content management and digital experience delivery, often hosting public-facing websites and intranet portals. Exploitation could lead to session hijacking, defacement, or distribution of malware to users visiting affected pages.

For European organizations, the impact of this vulnerability can be significant due to the widespread use of Adobe Experience Manager in government, financial, healthcare, and large enterprise sectors. Successful exploitation could lead to unauthorized access to sensitive user data, session hijacking, and potential lateral movement within internal networks if intranet portals are affected. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and financial losses. Public-facing websites compromised via stored XSS can be used to distribute malware or phishing content to European users, amplifying the threat. The medium severity score suggests that while the vulnerability is not critical, it still poses a meaningful risk especially in environments where user trust and data confidentiality are paramount. The requirement for low privileges to exploit means that even less privileged insiders or external attackers with limited access could leverage this flaw, increasing the attack surface.

Organizations should prioritize the following mitigations: 1) Apply official patches from Adobe as soon as they become available to remediate the vulnerability. 2) Implement strict input validation and output encoding on all user-supplied data in AEM forms to prevent script injection. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Conduct regular security audits and penetration testing focused on web application vulnerabilities, including stored XSS. 5) Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM. 6) Educate content authors and administrators about the risks of injecting untrusted content. 7) Monitor logs and user reports for suspicious activity indicative of XSS exploitation attempts. 8) Restrict privileges for users who can submit content to the minimum necessary to reduce the risk of malicious input. These steps go beyond generic advice by focusing on layered defenses specific to AEM environments and the nature of stored XSS.