Platform
adobe
Component
adobe-experience-manager
Fixed in
6.5.24
A DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-64539) has been identified in Adobe Experience Manager versions 6.5.23 and earlier. Successful exploitation allows an attacker to inject malicious scripts into a web page, which are then executed within the context of a victim's browser. This can lead to session takeover and compromise the confidentiality and integrity of sensitive data. The vulnerability was publicly disclosed on December 10, 2025.
This XSS vulnerability poses a significant threat because it allows attackers to execute arbitrary code within the user's browser. An attacker could leverage this to steal session cookies, hijack user accounts, and perform actions on behalf of the victim without their knowledge. The impact is amplified by the potential for session takeover, granting the attacker access to sensitive data and functionalities within the Adobe Experience Manager environment. The requirement for user interaction (visiting a malicious page) lowers the barrier to exploitation, as attackers can distribute crafted links through various channels like phishing emails or compromised websites.
The vulnerability is considered critical due to its potential for session takeover. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. As of the publication date (December 10, 2025), there is no indication of active exploitation campaigns, but the vulnerability's severity warrants immediate attention. This vulnerability has not been added to the CISA KEV catalog.
Exploit Status
EPSS
0.73% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64539 is to upgrade to a patched version of Adobe Experience Manager. Adobe has not yet released a fixed version, so monitor Adobe's security advisories for updates. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed. Input validation and output encoding on user-supplied data can also help reduce the attack surface. Regularly review and update your web application firewall (WAF) rules to detect and block malicious script injections.
Update Adobe Experience Manager to a version later than 6.5.23. See the Adobe security bulletin for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64539 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts.
If you are running Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and apply the necessary patches.
Upgrade to a patched version of Adobe Experience Manager as soon as it becomes available. Monitor Adobe's security advisories for updates and implement temporary workarounds like CSP.
As of December 10, 2025, there is no confirmed active exploitation, but the vulnerability's severity warrants immediate action to prevent potential attacks.
Refer to the official Adobe Security Bulletin for CVE-2025-64539 on the Adobe Security Advisories website (adobe.com/security/advisories).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.