CVE-2025-46902 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields within AEM, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses a page containing the compromised form field, the malicious script executes in their browser context. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. Stored XSS vulnerabilities are particularly dangerous because they can be used for session hijacking, credential theft, or delivering further malware payloads by exploiting the trust relationship between the user and the affected web application. Adobe Experience Manager is a widely used enterprise content management system, often deployed by large organizations for managing digital assets and web content, making this vulnerability significant in environments where AEM is in use.

For European organizations using Adobe Experience Manager, this vulnerability poses a risk of unauthorized script execution within the browsers of employees, partners, or customers accessing affected web pages. Potential impacts include theft of session cookies, leading to account compromise, unauthorized actions performed on behalf of users, exposure of sensitive information, and potential lateral movement within the organization’s network if internal portals are affected. Since AEM is often used for public-facing websites and intranet portals, the attack surface includes both external users and internal staff. The medium severity score reflects that exploitation requires user interaction and low privileges but can lead to significant confidentiality and integrity breaches. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that rely on AEM for content delivery could face reputational damage, regulatory penalties under GDPR if personal data is compromised, and operational disruptions if trust in digital services is undermined.

Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include: 1) Conducting a thorough audit of all form fields and user input points in AEM to identify and sanitize inputs properly, employing strict input validation and output encoding to neutralize malicious scripts. 2) Applying Web Application Firewall (WAF) rules specifically designed to detect and block common XSS payloads targeting AEM endpoints. 3) Restricting user privileges to the minimum necessary, especially for users who can submit content to forms, to reduce the risk of malicious input injection. 4) Implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Monitoring logs for unusual activity or repeated attempts to inject scripts. 6) Educating users about the risks of clicking on suspicious links or interacting with untrusted content. Once Adobe releases an official patch, organizations should prioritize timely deployment after testing in staging environments. Additionally, organizations should review their incident response plans to prepare for potential exploitation scenarios.