CVE-2025-54251

Published Sep 9, 2025

Last updated 6 months ago

CVSS medium 4.3
Adobe Experience Manager

Overview

Description
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access.
Source
psirt@adobe.com
NVD status
Analyzed
Products
experience_manager

Risk scores

CVSS 3.1

Type
Primary
Base score
4.3
Impact score
1.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity
MEDIUM

Weaknesses

psirt@adobe.com
CWE-91

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-54251 - medium 🚨 Adobe Experience Manager ≤ 6.5.23.0 - XML Injection > Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injecti... 👾 https://t.co/pkFazEwUvb @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    30 Sept 2025

    153 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  2. Ever stumbled on an AEM box and thought “ok… now what?” 😏 We dropped hopgoblin — new research + tool XXE, SSRF, XSS & more (CVE-2025-54251, -54249, -54252, -54250/47/48/46). 👀 time for some crits eh? 👉 https://t.co/mt7Hy0L8DN https://t.co/ZN6YfeZBOj

    @ITSecurityguard

    25 Sept 2025

    11810 Impressions

    31 Retweets

    188 Likes

    106 Bookmarks

    2 Replies

    0 Quotes

  3. CVE-2025-54251 Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged… https://t.co/RNCW3fvFfJ

    @CVEnew

    9 Sept 2025

    427 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27262
  2. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27266
  3. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27265
  4. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27256
  5. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27257

References

Sources include official advisories and independent security research.