Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-54251XML Injection (aka Blind XPath Injection) in Adobe Experience Manager

CWE-91XML Injection (aka Blind XPath Injection)5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
8.4%
top 7.68%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Adobe Experience ManagerAdobe Experience Manager
Timeline
PublishedSep 9

Description

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDadobe/experience_manager6.5.23.0+2
CVEListV5adobe/adobe_experience_manager6.5.23.0

🔴Vulnerability Details

3
CVEList
Adobe Experience Manager | XML Injection (aka Blind XPath Injection) (CWE-91)2025-09-09
GHSA
GHSA-6cr4-774r-vpp6: Adobe Experience Manager versions 62025-09-09
VulnCheck
Adobe experience_manager XML Injection (aka Blind XPath Injection)2025

💥Exploits & PoCs

1
Nuclei
Adobe Experience Manager ≤ 6.5.23.0 - XML Injection
CVE-2025-54251 — Adobe Experience Manager vulnerability | cvebase