Cyber Posture

CVE-2026-21361

High

Published: 11 March 2026

Published
11 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0011 28.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…

more

executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates inputs to vulnerable form fields in Adobe Commerce, preventing high-privileged attackers from injecting malicious JavaScript.

SI-15 Information Output Filtering good match
prevent

Filters outputs when rendering pages with vulnerable form fields, blocking execution of stored malicious scripts in victims' browsers.

AC-22 Publicly Accessible Content good match
prevent

Checks publicly accessible content in Adobe Commerce for interpretative objects like injected JavaScript prior to serving to victims.

Security SummaryAI

CVE-2026-21361 is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. Published on 2026-03-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N). The flaw enables a high-privileged attacker to inject malicious scripts into vulnerable form fields.

A high-privileged attacker (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by injecting malicious JavaScript into affected form fields. When a victim browses to the page containing the injected script, it executes in their browser (UI:R), potentially enabling session takeover and resulting in high confidentiality and integrity impacts (C:H/I:H) due to the changed scope (S:C).

The Adobe security advisory provides details on mitigation; see https://helpx.adobe.com/security/products/magento/apsb26-05.html.

Details

CWE(s)
CWE-79

Affected Products

adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4
adobe
commerce b2b
1.3.3, 1.3.4, 1.3.5, 1.4.2, 1.5.2 · ≤ 1.3.3
adobe
magento
2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9 · ≤ 2.4.5

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Stored XSS enables injection and execution of malicious JavaScript (T1059.007) in victims' browsers, facilitating web session cookie theft (T1539) for session takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References