CVE-2025-46923 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses a page containing the compromised form field, the malicious script executes within their browser context. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.4 (medium severity), with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction (visiting the page) is necessary. The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. Availability is not affected. The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component, likely impacting other parts of the application or user sessions. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. Adobe Experience Manager is a widely used enterprise content management system, often deployed in large organizations for managing digital assets and web content, making this vulnerability significant in environments where AEM is used to serve content to internal or external users.

For European organizations, this vulnerability poses a risk primarily to confidentiality and integrity of user sessions and data handled via Adobe Experience Manager portals. Attackers could exploit this flaw to execute malicious scripts that steal session cookies, perform unauthorized actions, or deliver further malware payloads to users interacting with affected web pages. This could lead to data breaches, unauthorized access to sensitive information, and reputational damage. Organizations relying on AEM for customer-facing websites, intranets, or digital asset management are particularly at risk. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but can be escalated if combined with social engineering or phishing campaigns. The vulnerability could also be leveraged to bypass access controls or impersonate users, impacting compliance with GDPR and other European data protection regulations. The lack of a patch at the time of disclosure increases the urgency for mitigation measures to prevent exploitation.

European organizations using Adobe Experience Manager should immediately audit their AEM deployments to identify affected versions (6.5.22 and earlier). Until an official patch is released, organizations should implement strict input validation and output encoding on all user-supplied data in AEM forms to prevent script injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting known vulnerable endpoints. Restrict privileges of users who can submit data to vulnerable forms to minimize the attack surface. Educate users to be cautious when clicking links or interacting with content served by AEM portals. Monitor logs for unusual activity or repeated attempts to inject scripts. Additionally, consider isolating AEM instances from critical internal networks and enforcing Content Security Policy (CSP) headers to limit the impact of any injected scripts. Once Adobe releases an official patch, prioritize prompt testing and deployment. Regularly update and patch AEM and related components to reduce exposure to similar vulnerabilities.