CVE-2026-27246

Critical

Published: 14 April 2026

Published

14 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0011 28.7th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account…

or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the DOM-based XSS vulnerability by requiring timely identification, reporting, and correction of the specific flaw through vendor patches as detailed in Adobe's APSB26-37 bulletin.

SI-10 Information Input Validation good match

prevent

Prevents script injection by enforcing information input validation at critical points, addressing the improper neutralization of input during dynamic HTML generation in Adobe Connect.

SI-15 Information Output Filtering good match

prevent

Mitigates DOM-based XSS by filtering or validating information output prior to processing or insertion into web pages, blocking malicious scripts from execution.

Security SummaryAI

CVE-2026-27246 is a DOM-based Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. Assigned a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), it involves improper neutralization of input during dynamic HTML generation, allowing script injection. The vulnerability changes scope, indicating potential cross-origin impacts.

An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this issue with low complexity (AC:L) by tricking a victim into visiting a maliciously crafted URL or interacting with a compromised web page (UI:R). Successful exploitation enables injection of malicious scripts into the web page, potentially granting the attacker elevated access or control over the victim's account or session, with high confidentiality and integrity impacts (C:H/I:H) but no availability disruption (A:N).

Adobe's security bulletin APSB26-37, available at https://helpx.adobe.com/security/products/connect/apsb26-37.html, provides details on the vulnerability and recommended mitigations, including patches for affected versions.

Details

CWE(s): CWE-79

Affected Products

adobe

connect

≤ 12.11

adobe

connect desktop application

≤ 2025.3 · ≤ 2025.9.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

The DOM-based XSS vulnerability in a public-facing web application (Adobe Connect) enables exploitation of public-facing applications (T1190) via crafted webpages, leading to arbitrary JavaScript execution in the victim's browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://helpx.adobe.com/security/products/connect/apsb26-37.html
Vendor Advisory · psirt@adobe.com