Cyber Posture

CVE-2026-27245

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0011 28.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account…

more

or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the reflected XSS flaw in Adobe Connect by requiring timely application of vendor patches as specified in the security bulletin.

SI-15 Information Output Filtering good match
prevent

Filters information output from web pages to block execution of injected malicious scripts in the victim's browser context.

SI-10 Information Input Validation good match
prevent

Validates untrusted inputs from malicious URLs to prevent injection of script payloads into Adobe Connect web responses.

Security SummaryAI

CVE-2026-27245 is a reflected Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. Assigned a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), it enables attackers to inject malicious scripts into web pages served by the affected software. The vulnerability was published on 2026-04-14 and involves a changed scope, indicating potential cross-origin effects.

Attackers with network access can exploit this issue without privileges by crafting malicious URLs or compromising web pages that trick victims into interacting with them, such as clicking links or visiting sites. Successful exploitation requires user interaction but allows injected scripts to execute in the victim's browser context, potentially granting attackers elevated access or control over the victim's Adobe Connect account or session, with high impacts on confidentiality and integrity.

For mitigation details, refer to Adobe's security bulletin at https://helpx.adobe.com/security/products/connect/apsb26-37.html, which provides guidance on patches and remediation for affected versions.

Details

CWE(s)
CWE-79

Affected Products

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
Why these techniques?

Reflected XSS in public-facing Adobe Connect directly enables exploitation of public-facing applications (T1190), stealing web session cookies (T1539), and browser session hijacking (T1185) via arbitrary JavaScript execution in victim browsers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References