CVE-2025-49534 — Cross-site Scripting in Adobe Experience Manager

CWE-79 — Cross-site Scripting CWE-401 — Missing Release of Memory after Effective Lifetime4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 85.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Experience Manager Adobe Experience Manager

Timeline

PublishedJul 8

Latest updateJul 9

Description

Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5adobe/adobe_experience_managerFP11.4

▶NVDadobe/experience_manager6.5.22.0

🔴Vulnerability Details

GHSA

GHSA-cq9g-6hw9-rmv4: Adobe Experience Manager versions 11↗2025-07-09

▶

CVEList

Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)↗2025-07-08

▶

📋Vendor Advisories

Microsoft

scsi: lpfc: Protect memory leak for NPIV ports sending PLOGI_RJT↗2025-02-11

▶