CVE-2025-46848: Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged…

medium5.4CVSS 3.1

AVNACLPRLUIRSCCLILAN

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Affected

12 ranges

Vendor	Product	Version range	Fixed in
adobe	adobe_experience_manager	<= 6.5.22	—
adobe	experience_manager	< 6.5.23.0	6.5.23.0
adobe	experience_manager	< 2025.5.0	2025.5.0
msrc	azl3_kernel_6.6.47.1-1_on_azure_linux_3.0	—	—
msrc	azl3_kernel_6.6.51.1-5_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_kernel_5.15.200.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_kernel_5.15.202.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_libtasn1_4.19.0-1_on_cbl_mariner_2.0	—	—
msrc	cm1_libtasn1_4.14-3_on_cbl_mariner_1.0	—	—

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

osv9.1CRITICAL