CVE-2025-46854 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses a page containing the vulnerable form field, the malicious script executes in their browser context. This is a DOM-based XSS, meaning the attack payload manipulates the Document Object Model on the client side, potentially bypassing some traditional server-side input validation mechanisms. The vulnerability requires the attacker to have some level of authenticated access (low privilege) and user interaction (the victim must visit the compromised page). The CVSS v3.1 base score is 5.4 (medium severity), reflecting the network attack vector, low attack complexity, required privileges, and user interaction. The impact primarily affects confidentiality and integrity, as malicious scripts can steal session tokens, perform actions on behalf of the user, or manipulate displayed content. Availability is not impacted. No known exploits are currently reported in the wild, and no official patches or mitigation links have been published yet. The vulnerability is categorized under CWE-79, a common and well-understood XSS weakness. Given the widespread use of Adobe Experience Manager in enterprise content management and web experience delivery, this vulnerability poses a significant risk if exploited, especially in environments where sensitive user data or administrative functions are exposed through the affected forms.

For European organizations, the impact of this vulnerability can be substantial, particularly for those relying on Adobe Experience Manager to deliver customer-facing websites, intranets, or digital services. Exploitation could lead to session hijacking, unauthorized actions performed under the victim’s credentials, and data leakage, undermining user trust and potentially violating GDPR requirements related to data protection and breach notification. Organizations in sectors such as finance, healthcare, government, and e-commerce are especially at risk due to the sensitive nature of the data handled and the regulatory scrutiny they face. Additionally, the persistent nature of stored XSS means that once injected, malicious scripts can affect multiple users over time, increasing the attack surface. The requirement for low privilege to inject scripts lowers the barrier for attackers, while user interaction (visiting the compromised page) is a typical scenario for web users. The vulnerability could also be leveraged as a foothold for further attacks, including phishing or delivering malware payloads. Given the interconnectedness of European digital services, a successful attack could have cascading effects on partner organizations and supply chains.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Conducting a thorough review and audit of all form fields in Adobe Experience Manager to identify and temporarily disable or restrict those that accept user input and could be vulnerable. 2) Implementing strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which scripts can be loaded, thereby reducing the impact of injected scripts. 3) Employing web application firewalls (WAFs) with custom rules to detect and block common XSS payload patterns targeting AEM forms. 4) Enhancing user awareness and monitoring for unusual user activity or reports of suspicious behavior on affected web properties. 5) Preparing for rapid deployment of official patches once released by Adobe, including testing in staging environments to ensure compatibility. 6) Using input validation and output encoding best practices in any custom AEM components or extensions to minimize injection risks. 7) Restricting access to AEM authoring environments and administrative interfaces to trusted personnel and networks to reduce the risk of low-privilege attackers gaining access.