CVE-2025-46918 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields within the AEM platform, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses the affected page containing the malicious payload, the injected script executes in their browser context. This can lead to unauthorized actions such as session hijacking, credential theft, or performing actions on behalf of the user. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring low privileges, and user interaction (victim must visit the malicious page). The scope is changed, meaning the vulnerability can impact resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked yet. However, given the widespread use of AEM in enterprise content management and digital experience delivery, this vulnerability poses a significant risk if exploited.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Adobe Experience Manager to manage corporate websites, intranets, or customer portals. Exploitation could lead to compromise of user sessions, leakage of sensitive information, and potential defacement or unauthorized content injection. This can damage organizational reputation, lead to regulatory non-compliance under GDPR due to data exposure, and disrupt business operations. Attackers could leverage the vulnerability to conduct phishing campaigns or deliver malware through trusted websites. Since AEM is often integrated with other enterprise systems, the XSS could serve as an entry point for further lateral movement or privilege escalation within the network. The requirement for low privileges to inject the payload increases the risk, as even non-administrative users or external attackers exploiting exposed forms could trigger the attack.

Organizations should immediately audit their Adobe Experience Manager deployments to identify if they are running version 6.5.22 or earlier. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data in form fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Review and harden user permissions to minimize the ability of low-privileged users to submit content that could be malicious. Monitor web logs and application behavior for unusual input patterns or script injections. Consider deploying Web Application Firewalls (WAFs) with rules targeting common XSS payloads specific to AEM. Educate users to recognize suspicious website behavior and avoid interacting with untrusted content. Once Adobe releases a patch, prioritize its deployment after thorough testing in staging environments to avoid service disruption.