CVE-2025-46922 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses a page containing the compromised form field, the malicious script executes within their browser context. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring low privileges, and user interaction (victim must visit the affected page). The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are reported in the wild as of the published date (June 10, 2025). Stored XSS in AEM is particularly concerning because AEM is widely used for managing enterprise web content, and exploitation can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim user. Given that AEM is often deployed in customer-facing portals or internal intranets, the risk includes both external and internal threat vectors.

For European organizations, the impact of this vulnerability can be significant due to the widespread adoption of Adobe Experience Manager in sectors such as government, finance, healthcare, and retail. Exploitation could lead to unauthorized access to sensitive user data, session hijacking, and potential lateral movement within corporate networks if internal portals are affected. Confidentiality breaches could expose personal data protected under GDPR, leading to regulatory penalties and reputational damage. Integrity impacts could allow attackers to manipulate displayed content or inject misleading information, undermining trust in corporate websites or intranet resources. The requirement for user interaction (visiting a maliciously crafted page) means phishing or social engineering campaigns could be used to trigger exploitation. The medium CVSS score reflects a moderate risk but should not be underestimated given the potential for targeted attacks against high-value European entities. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread abuse occurs.

European organizations using Adobe Experience Manager should immediately assess their deployment versions and prioritize upgrading to a patched version once available from Adobe. In the absence of an official patch, implement strict input validation and output encoding on all user-supplied data in form fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct thorough code reviews and penetration testing focused on XSS vectors within AEM-managed applications. Educate users and administrators about phishing risks and encourage cautious behavior when interacting with unfamiliar links or content. Additionally, monitor web server logs and application behavior for unusual input patterns or error messages indicative of attempted exploitation. Deploy Web Application Firewalls (WAFs) with updated rules to detect and block XSS payloads targeting AEM. Finally, ensure incident response plans include procedures for rapid containment and remediation of XSS incidents.