Platform
adobe
Component
adobe-experience-manager
Fixed in
6.5.24
CVE-2025-64538 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.23 and earlier. This vulnerability allows an attacker to inject malicious scripts into a web page, which are then executed within the context of a victim's browser. While exploitation requires user interaction (visiting a crafted page), the potential impact is severe, including session takeover and data breaches. Adobe has released updates to address this issue.
The primary impact of CVE-2025-64538 is the potential for arbitrary code execution within the victim's browser. An attacker can leverage this to steal session cookies, redirect users to malicious websites, or deface the website. The vulnerability’s DOM-based nature means that the attacker doesn't necessarily need to control the entire page, only a specific element. This makes it easier to exploit than traditional XSS vulnerabilities. The ability to achieve session takeover significantly increases the confidentiality and integrity impact, as an attacker can impersonate legitimate users and access sensitive data. The blast radius extends to any user who interacts with a page containing the injected script.
CVE-2025-64538 was publicly disclosed on December 10, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and severity suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The potential for session takeover makes this a high-priority vulnerability to address.
Exploit Status
EPSS
0.73% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64538 is to upgrade to a patched version of Adobe Experience Manager. Adobe has released updates to address this vulnerability; refer to the official Adobe security advisory for specific version details. If immediate patching is not possible, consider implementing strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your Experience Manager instance for vulnerabilities using automated security tools.
Update Adobe Experience Manager to a version later than 6.5.23. This will resolve the DOM-based XSS vulnerability. Refer to the Adobe security advisory for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64538 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts and potentially take over user sessions.
If you are using Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.
Upgrade to a patched version of Adobe Experience Manager. Refer to the official Adobe security advisory for specific version details and patching instructions.
While no public exploits are currently known, the vulnerability's severity suggests a high probability of exploitation. Proactive patching is highly recommended.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.