CVE-2025-46904 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM platform. When a victim accesses a page containing the compromised form field, the malicious script executes in the context of the victim’s browser. Stored XSS vulnerabilities are particularly dangerous because the injected payload is saved on the server and served to multiple users, increasing the attack surface and potential impact. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations should prioritize monitoring and mitigation efforts. The vulnerability’s exploitation requires user interaction, such as a victim visiting a malicious or compromised page, but does not require high privileges to inject the malicious payload, making it a moderate risk in environments where users access AEM-managed content.

For European organizations using Adobe Experience Manager, this vulnerability poses a risk of client-side script execution leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. Given AEM’s widespread use in enterprise content management, marketing websites, and intranet portals, exploitation could lead to data leakage, defacement, or compromise of user trust. The confidentiality and integrity of user data could be undermined, especially if attackers leverage the XSS to steal authentication tokens or manipulate content. While availability is not directly affected, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be significant. Organizations with public-facing AEM instances or internal portals accessed by employees are particularly at risk. The medium severity score reflects the need for timely remediation but indicates that the vulnerability is not trivially exploitable without user interaction and some level of access.

European organizations should implement the following specific mitigations: 1) Immediately review and sanitize all user input fields in AEM forms to ensure proper encoding and validation, preventing script injection. 2) Apply any available Adobe patches or updates as soon as they are released; if patches are not yet available, consider temporary workarounds such as disabling vulnerable form fields or restricting access to affected pages. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing AEM content. 4) Conduct thorough security testing and code reviews focusing on input handling within AEM components. 5) Educate users to recognize suspicious links or content that could trigger XSS payloads. 6) Monitor web server and application logs for unusual input patterns or error messages indicative of attempted exploitation. 7) Use Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. These targeted actions go beyond generic advice by focusing on AEM-specific input vectors and leveraging layered defenses to reduce risk until official patches are deployed.