Adobe Experience Manager Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Adobe Experience Manager.
Recent Adobe Experience Manager Security Advisories
| Advisory | Title | Published |
|---|---|---|
| APSB25-98 | Security updates available for Adobe Experience Manager Screens | APSB25-98 | October 14, 2025 |
| APSB25-90 | Security updates available for Adobe Experience Manager | APSB25-90 | September 9, 2025 |
| APSB25-82 | Security updates available for Adobe Experience Manager | APSB25-82 | August 5, 2025 |
| APSB25-68 | Security updates available for Adobe Experience Manager Screens | APSB25-68 | July 8, 2025 |
| APSB25-67 | Security updates available for Adobe Experience Manager | APSB25-67 | July 8, 2025 |
| APSB25-48 | Security updates available for Adobe Experience Manager | APSB25-48 | June 10, 2025 |
| APSB25-32 | Security updates available for Adobe Experience Manager Screens | APSB25-32 | April 8, 2025 |
| APSB25-27 | Security updates available for Adobe Experience Manager | APSB25-27 | April 8, 2025 |
| APSB24-69 | Security updates available for Adobe Experience Manager | APSB24-69 | December 10, 2024 |
| APSB24-28 | Security updates available for Adobe Experience Manager | APSB24-28 | June 11, 2024 |
By the Year
In 2025 there have been 253 vulnerabilities in Adobe Experience Manager with an average score of 5.5 out of ten. Last year, in 2024 Experience Manager had 315 security vulnerabilities published. Right now, Experience Manager is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.10.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 253 | 5.45 |
| 2024 | 315 | 5.36 |
| 2023 | 218 | 5.41 |
| 2022 | 56 | 5.53 |
| 2021 | 11 | 6.71 |
| 2020 | 24 | 6.39 |
| 2019 | 19 | 6.83 |
| 2018 | 16 | 6.31 |
It may take a day or so for new Experience Manager vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe Experience Manager Security Vulnerabilities
Stored XSS in Adobe Experience Manager 11.6 or earlier Targeting Form Fields
CVE-2025-61797
5.4 - Medium
- October 14, 2025
Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
XSS
Adobe Experience Manager <=11.6 Stored XSS in Form Fields
CVE-2025-54272
5.4 - Medium
- October 14, 2025
Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
XSS
Adobe Experience Manager 11.6 and earlier: Stored XSS in form fields
CVE-2025-61796
5.4 - Medium
- October 14, 2025
Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
XSS
XML Injection in Adobe Experience Manager 6.5.x.0 Enables Unauthorized Write
CVE-2025-54251
4.3 - Medium
- September 09, 2025
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access.
aka Blind XPath Injection
Adobe Experience Manager 6.5.23 RCE via Misconfiguration
CVE-2025-54253
10 - Critical
- August 05, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
AuthZ
Adobe Experience Manager XXE (Arbitrary FS Read) before 6.5.23
CVE-2025-54254
7.5 - High
- August 05, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system. Exploitation of this issue does not require user interaction.
XXE
AEM <=6.5.22 XSS in form fields via stored scripts
CVE-2025-46958
5.4 - Medium
- August 05, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22–earlier stored XSS in form fields
CVE-2025-47001
5.4 - Medium
- July 30, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 XSS in Form Fields
CVE-2025-46993
5.4 - Medium
- July 24, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in form fields (<=6.5.22)
CVE-2025-46996
5.4 - Medium
- July 24, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager Stored XSS via form fields v6.5.22-
CVE-2025-47061
5.4 - Medium
- July 24, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Stored XSS in Joomla CComment 5.0.0-6.1.14 component
CVE-2025-54297
- July 23, 2025
A stored XSS vulnerability in CComment component 5.0.0-6.1.14 for Joomla was discovered.
XSS
Joomla ProFiles 1.0-1.5.0 XSS Stored Vulnerability
CVE-2025-54296
- July 23, 2025
A stored XSS vulnerability in ProFiles component 1.0-1.5.0 for Joomla was discovered.
XSS
Adobe Experience Manager 6.5.22- DOM XSS CVE-2025-47053
CVE-2025-47053
5.4 - Medium
- July 16, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page.
XSS
Adobe Experience Manager 6.5.22- DOM-based XSS Vulnerability
CVE-2025-46959
5.4 - Medium
- July 16, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page.
XSS
AEM Deserialization of Untrusted Data v6.5.23.0 or earlier: Arbitrary Code Exec
CVE-2025-49533
9.8 - Critical
- July 08, 2025
Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.
Marshaling, Unmarshaling
Adobe ExMgr 11.4&earlier – Stored XSS in Form Fields
CVE-2025-49534
5.4 - Medium
- July 08, 2025
Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Scope is changed.
XSS
Adobe Experience Manager <=11.4 XSS in form fields via stored payload
CVE-2025-49547
5.4 - Medium
- July 08, 2025
Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Scope is changed.
XSS
Adobe Experience Manager 6.5.22 and earlier: Stored XSS in form fields
CVE-2025-46987
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 and earlier: Stored XSS in Form Fields
CVE-2025-47027
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 XSS via Form Field Injection
CVE-2025-46988
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 and earlier: Stored XSS in form fields
CVE-2025-46989
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM 6.5.22 and earlier: Stored XSS via Vulnerable Form Fields
CVE-2025-46990
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 Stored XSS in Form Fields
CVE-2025-46991
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 Stored XSS in Form Fields
CVE-2025-46992
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM Stored XSS in form fields before 6.5.22
CVE-2025-46995
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 – Stored XSS in form fields
CVE-2025-46997
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 Stored XSS in Form Fields
CVE-2025-46999
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Mgr <=6.5.22 Stored XSS via Form Fields
CVE-2025-47000
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 and earlier: Stored XSS in form fields
CVE-2025-47002
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <6.5.22 XSS in form fields
CVE-2025-47003
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Stored XSS in Adobe Experience Manager 6.5.22- (CVE-2025-47004)
CVE-2025-47004
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in Form Fields <6.5.22
CVE-2025-47005
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in form fields before v6.5.22
CVE-2025-47006
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Mgr <=6.5.22 Forms Stored XSS
CVE-2025-47007
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 Stored XSS via Form Fields
CVE-2025-47017
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 and Earlier Stored XSS in Form Fields
CVE-2025-46944
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM <=6.5.22 Stored XSS in Form Fields
CVE-2025-47026
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM 6.5.22 or earlier Stored XSS in form fields
CVE-2025-47025
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 Stored XSS in Form Fields
CVE-2025-47022
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.22 and earlier: Stored XSS via form fields
CVE-2025-47021
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 Stored XSS in form fields
CVE-2025-47020
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in form fields before 6.5.22
CVE-2025-47019
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager 6.5.X XSS in Form Fields (CVE-2025-47013)
CVE-2025-47013
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 Stored XSS in form fields
CVE-2025-47010
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
AEM 6.5.22 & < - Stored XSS via Form Fields (XSS)
CVE-2025-47011
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22 Stored XSS in Form Fields
CVE-2025-47012
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager <=6.5.22: Stored XSS in form fields
CVE-2025-47015
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager v6.5.22 and earlier: Stored XSS
CVE-2025-47016
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Experience Manager XSS in form fields before v6.5.22
CVE-2025-47008
5.4 - Medium
- June 10, 2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Adobe Experience Manager or by Adobe? Click the Watch button to subscribe.
Adobe Experience Manager
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms
