Cyber Posture

CVE-2026-27243

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0011 28.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account…

more

or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the reflected XSS vulnerability by requiring timely application of vendor patches as specified in Adobe's security bulletin APSB26-37.

SI-10 Information Input Validation good match
prevent

Prevents exploitation by validating and sanitizing untrusted inputs from malicious URLs before processing in Adobe Connect web pages.

SI-15 Information Output Filtering good match
prevent

Filters and encodes reflected content in web outputs to block execution of injected malicious scripts in victims' browsers.

Security SummaryAI

CVE-2026-27243 is a reflected Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. This flaw allows attackers to inject malicious scripts into web pages served by the affected software. The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and high impacts on confidentiality and integrity.

Any unauthenticated attacker can exploit this vulnerability by crafting a malicious URL or compromising a web page that a victim interacts with, such as by clicking a link in phishing emails, social engineering, or malicious advertisements. Successful exploitation requires victim interaction but enables script injection, potentially allowing the attacker to steal session cookies, impersonate the user, or gain elevated access and control over the victim's account or session within Adobe Connect.

Adobe's security bulletin APSB26-37, available at https://helpx.adobe.com/security/products/connect/apsb26-37.html, addresses this vulnerability and provides guidance on mitigation. Security practitioners should consult the advisory for details on available patches and recommended remediation steps for affected Adobe Connect deployments.

Details

CWE(s)
CWE-79

Affected Products

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
Why these techniques?

Reflected XSS in public-facing Adobe Connect enables unauthenticated exploitation (T1190: Exploit Public-Facing Application) via malicious URLs that trick victims into executing arbitrary JavaScript (facilitating T1566.002: Spearphishing Link).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References