CVE-2025-46955 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields within AEM, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses the affected page containing the vulnerable form field, the malicious script executes within their browser context. The vulnerability is categorized under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires low privileges, and user interaction is necessary for exploitation. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss, as the attacker can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Availability impact is not present. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was reserved in late April 2025 and published in June 2025, indicating recent discovery and disclosure. Given AEM's role as a content management system widely used for enterprise web content delivery, exploitation could compromise user trust and lead to data leakage or unauthorized access to sensitive information through client-side attacks.

For European organizations using Adobe Experience Manager, this vulnerability poses a significant risk to web application security and user data confidentiality. Since AEM is commonly deployed by large enterprises, government agencies, and public sector organizations across Europe for managing digital content and customer interactions, exploitation could lead to unauthorized script execution in end-users' browsers. This may result in session hijacking, theft of authentication tokens, or manipulation of displayed content, undermining user trust and potentially violating data protection regulations such as GDPR. The medium severity score indicates that while the vulnerability does not directly compromise server integrity or availability, the indirect effects on confidentiality and integrity of user sessions can have serious reputational and compliance consequences. Additionally, the requirement for low privileges to inject scripts means that even less privileged insiders or external attackers with limited access could exploit this flaw. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as threat actors often develop exploits rapidly after public disclosure.

European organizations should prioritize the following mitigation steps: 1) Immediate assessment of Adobe Experience Manager instances to identify versions 6.5.22 and earlier in use. 2) Apply any forthcoming official patches from Adobe as soon as they become available. 3) In the interim, implement strict input validation and output encoding on all form fields within AEM to neutralize potentially malicious scripts. 4) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers accessing AEM-managed sites. 5) Conduct thorough security testing, including penetration testing focused on XSS vectors, to identify and remediate any additional injection points. 6) Educate developers and administrators on secure coding practices related to DOM-based XSS. 7) Monitor web traffic and logs for unusual script injections or suspicious user activity indicative of exploitation attempts. 8) Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM. These measures, combined with timely patching, will reduce the attack surface and mitigate the risk posed by this vulnerability.