CVE-2025-46972 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields within AEM, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses a page containing the compromised form field, the malicious script executes in their browser context. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires low privileges but user interaction (visiting the malicious page), and impacts confidentiality and integrity with a scope change. No known exploits are currently reported in the wild, and no official patches have been linked yet. Stored XSS in AEM is particularly concerning because AEM is widely used for enterprise content management and digital experience delivery, often hosting sensitive corporate and customer-facing web applications. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user, potentially compromising sensitive data and trust in the affected web properties.

For European organizations, the impact of this vulnerability can be significant due to the widespread use of Adobe Experience Manager in government, finance, healthcare, and large enterprises across Europe. Exploitation could lead to unauthorized access to sensitive information, defacement of public-facing websites, and erosion of customer trust. Given the scope change in the CVSS vector, the vulnerability could allow attackers to escalate the impact beyond the initially compromised component, affecting multiple users and systems. This is particularly critical for organizations subject to GDPR and other stringent data protection regulations, as data breaches resulting from XSS attacks could lead to regulatory fines and reputational damage. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to lure victims to maliciously crafted pages, increasing the attack surface. The medium severity score suggests a moderate but non-negligible risk that must be addressed promptly to prevent exploitation in environments where AEM is integral to digital operations.

To mitigate this vulnerability, European organizations should first identify all instances of Adobe Experience Manager 6.5.22 or earlier in their environment. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data in AEM forms, especially those exposed to external users. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Conduct thorough security testing, including automated and manual penetration tests focusing on DOM-based XSS vectors. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content. Monitor web server logs and application behavior for unusual activity indicative of XSS exploitation attempts. Once Adobe releases a patch, prioritize its deployment in all affected environments. Additionally, consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. Finally, review and harden AEM configurations to minimize exposure of vulnerable components and restrict privileges to the minimum necessary for operation.