CVE-2025-46990 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user visits a page containing the compromised form field, the malicious script executes in their browser context. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is permanently stored on the server and served to any user accessing the affected page, increasing the attack surface and potential impact. The vulnerability requires low privileges to exploit but does require user interaction, as the victim must browse to the infected page. The CVSS 3.1 base score is 5.4 (medium severity), reflecting the network attack vector, low attack complexity, low privileges required, and the need for user interaction. The vulnerability impacts confidentiality and integrity by enabling script execution that could steal session tokens, perform actions on behalf of the user, or manipulate displayed content. Availability is not impacted. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS.

For European organizations using Adobe Experience Manager, this vulnerability poses a moderate risk. AEM is widely used by enterprises and public sector organizations for content management and digital experience delivery. Exploitation could lead to session hijacking, unauthorized actions, or data theft from users interacting with compromised pages. This is particularly concerning for organizations handling sensitive personal data or financial transactions, as malicious scripts could facilitate phishing or credential theft. Public sector websites and e-commerce platforms in Europe using affected AEM versions are at risk of reputational damage and regulatory consequences under GDPR if user data confidentiality is compromised. The stored nature of the XSS means multiple users can be affected once the payload is injected, amplifying potential damage. However, the requirement for user interaction and low privileges limits the ease of exploitation compared to more critical vulnerabilities.

European organizations should immediately audit their Adobe Experience Manager installations to identify affected versions (6.5.22 and earlier). Until an official patch is released, implement strict input validation and output encoding on all form fields to prevent malicious script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor web application logs for suspicious input patterns indicative of XSS attempts. Educate users to be cautious when interacting with unfamiliar or unexpected content on AEM-powered sites. Consider deploying Web Application Firewalls (WAFs) with rules targeting common XSS payloads to block exploitation attempts. Once Adobe releases a security update, prioritize patching to remediate the vulnerability fully. Additionally, review user privilege assignments to minimize unnecessary permissions that could facilitate exploitation.