CVE-2025-46998 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises due to insufficient input sanitization in certain form fields within AEM, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses a page containing the compromised form field, the malicious script executes in their browser context. This can lead to unauthorized actions such as session hijacking, credential theft, or unauthorized manipulation of the web application interface. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), user interaction required (UI:R), and scope changed (S:C). The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on August 20, 2025, with the reservation date on April 30, 2025.

For European organizations using Adobe Experience Manager, this vulnerability poses a moderate risk. AEM is widely used by enterprises and public sector organizations for content management and digital experience delivery. Exploitation could allow attackers to execute malicious scripts in the browsers of users, potentially leading to theft of sensitive information such as authentication tokens or personal data, unauthorized actions on behalf of users, or defacement of web content. Given the persistent nature of stored XSS, the impact could be long-lasting and affect multiple users. This is particularly concerning for organizations handling sensitive or regulated data under GDPR, as data breaches could lead to regulatory penalties and reputational damage. The requirement for low privileges and user interaction lowers the barrier for exploitation, increasing the likelihood of targeted attacks, especially in sectors like finance, government, and healthcare where AEM is prevalent.

Organizations should prioritize updating Adobe Experience Manager to versions beyond 6.5.22 once patches are released by Adobe. Until patches are available, implement strict input validation and output encoding on all form fields to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize existing content stored in AEM to detect and remove any injected malicious scripts. Enhance user awareness to recognize suspicious behaviors or unexpected prompts when interacting with AEM-hosted content. Additionally, restrict access to AEM administrative and content authoring interfaces to trusted personnel only, and monitor logs for unusual input patterns or repeated failed attempts that might indicate exploitation attempts.