Cyber Posture

CVE-2026-21284

High

Published: 11 March 2026

Published
11 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0024 47.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…

more

executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Filters information output to web pages to prevent execution of injected malicious JavaScript in victims' browsers when accessing pages with vulnerable form fields.

SI-10 Information Input Validation good match
prevent

Validates inputs to vulnerable form fields to block injection of malicious scripts by high-privileged attackers.

SI-2 Flaw Remediation good match
prevent

Remediates the stored XSS flaw in affected Adobe Commerce versions by applying vendor-provided patches from APSB26-05.

Security SummaryAI

CVE-2026-21284 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. The flaw allows injection of malicious scripts into vulnerable form fields, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N). It was published on 2026-03-11.

A high-privileged attacker can exploit this vulnerability over the network with low complexity by injecting malicious JavaScript into affected form fields. Exploitation requires a victim to browse to the page containing the injected content, at which point the script executes in the victim's browser. Successful attacks enable session takeover, resulting in high confidentiality and integrity impacts, though availability is unaffected.

For mitigation details, refer to the Adobe Product Security Bulletin at https://helpx.adobe.com/security/products/magento/apsb26-05.html.

Details

CWE(s)
CWE-79

Affected Products

adobe
commerce b2b
1.3.3, 1.3.4, 1.3.5, 1.4.2, 1.5.2 · ≤ 1.3.3
adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4
adobe
magento
2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9 · ≤ 2.4.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Stored XSS in public-facing Adobe Commerce enables exploitation of the application (T1190) to inject and execute malicious JavaScript in victims' browsers, facilitating web session cookie theft (T1539) for session takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References