CVE-2025-46890 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user subsequently accesses the affected page containing the injected script, the malicious code executes in their browser context. The vulnerability arises due to insufficient input validation and output encoding in the handling of form inputs, enabling persistent script injection. The attack vector is remote network access (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions performed in the victim’s browser session. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked yet. The CVSS v3.1 base score is 5.4, categorizing it as a medium severity vulnerability.

For European organizations using Adobe Experience Manager, this vulnerability poses a significant risk to web application security and user trust. A successful exploit could lead to the theft of sensitive information such as authentication tokens, personal data, or internal business information, compromising confidentiality. Integrity may be affected if attackers manipulate content or perform unauthorized actions on behalf of users. Although availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be severe. Organizations in sectors like finance, healthcare, government, and e-commerce that rely on AEM for content management and customer interaction are particularly vulnerable. The requirement for user interaction means phishing or social engineering could be leveraged to increase exploitation success. Given the widespread use of AEM in Europe, the vulnerability could be exploited to target employees, customers, or partners, leading to broader organizational impact.

Organizations should immediately audit their Adobe Experience Manager deployments to identify affected versions (6.5.22 and earlier). Until an official patch is released, implement strict input validation and output encoding on all form fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Enable and enforce multi-factor authentication (MFA) to reduce the impact of stolen credentials. Conduct user awareness training to recognize and avoid phishing attempts that could trigger the vulnerability. Monitor web application logs for unusual input patterns or script injections. Segregate administrative interfaces and restrict access to trusted IP ranges. Plan for rapid deployment of Adobe’s official security updates once available. Additionally, consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads targeting AEM forms.