Multiple Stored XSS Vulnerabilities in Adobe Commerce
Adobe Commerce disclosed multiple stored cross-site scripting (XSS) vulnerabilities affecting versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. The issues tracked as CVE-2026-21284, CVE-2026-21290, CVE-2026-21311, and CVE-2026-21361 allow malicious JavaScript to be injected into vulnerable form fields and later executed in a victim’s browser when the affected page is viewed. Adobe indicates the impact can include session takeover and high confidentiality and integrity risk.
The vulnerabilities differ primarily in the privilege level required to plant the payload, with most requiring a high-privileged attacker and at least one (CVE-2026-21290) being exploitable by a low-privileged attacker. In all cases, exploitation requires user interaction, as a victim must browse to the page containing the injected content. A separate write-up about a chained exploit involving postMessage misconfiguration, prompt injection, and sandbox escape on an AI assistant platform does not describe the same Adobe Commerce disclosure and should be excluded.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Adobe discloses multiple Adobe Commerce stored XSS vulnerabilities
Adobe Commerce vulnerabilities CVE-2026-21284, CVE-2026-21290, CVE-2026-21311, and CVE-2026-21361 were published as stored cross-site scripting flaws affecting multiple versions up to specific patch levels, including 2.4.9-alpha3 in several cases. The issues could allow attackers to inject malicious scripts into form fields and potentially hijack user sessions when victims view affected pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-21284 - Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
cvefeed.io
Open sourceCVE-2026-21290 - Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
cvefeed.io
Open sourceCVE-2026-21311 - Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
cvefeed.io
Open sourceCVE-2026-21361 - Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for **CVE-2025-54236**, a critical improper input validation flaw in **Adobe Commerce**, **Adobe Commerce B2B**, and **Magento Open Source** that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed **"SessionReaper"** by Sansec, carries a reported **CVSS 9.1** rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from **2.4.4 through 2.4.7** and other listed builds and earlier releases. Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to **CISA's Known Exploited Vulnerabilities** catalog. Adobe published remediation details in **APSB25-88** and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase **WAF**, API, and **SIEM** monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
May 16, 2026
Adobe Connect Patches Reflected XSS Flaws Allowing Script Execution via Crafted URLs
Adobe disclosed two high-severity reflected cross-site scripting vulnerabilities in **Adobe Connect**—`CVE-2026-27245` and `CVE-2026-27243`—affecting versions **2025.3, 12.10, and earlier**. The flaws allow an attacker to trigger execution of malicious JavaScript in a victim’s browser if the victim is persuaded to open a specially crafted URL pointing to a vulnerable page. Both issues are classified as **CWE-79** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`, indicating network-reachable exploitation with no privileges required but user interaction needed. Adobe referenced the vulnerabilities in security bulletin **APSB26-37**, and the changed scope plus high confidentiality and integrity impact suggest successful exploitation could let attackers act within the victim’s browser session and compromise exposed application data or actions.
May 24, 2026
Adobe Connect Flaws Expose Users to XSS and Potential Code Execution
Adobe disclosed two high-severity vulnerabilities in **Adobe Connect** affecting versions **2025.3, 12.10, and earlier**, and directed customers to advisory **`APSB26-37`** for remediation. One issue, **`CVE-2026-27246`**, is a DOM-based cross-site scripting flaw classified as **`CWE-79`** that can let an attacker manipulate the browser DOM and run malicious JavaScript in a victim’s session after luring the user to a crafted webpage. The vulnerability carries a CVSS v3.1 vector of **`AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`**, indicating network reachability, low attack complexity, no privileges required, and high confidentiality and integrity impact. Adobe also disclosed **`CVE-2026-34615`**, a **`CWE-502`** deserialization of untrusted data vulnerability in the same product versions that can lead to arbitrary code execution in the context of the current user. Adobe said exploitation of the deserialization flaw does not require user interaction, making it the more serious of the two issues, while both bugs were published through Adobe’s PSIRT process and affect the same supported and earlier Adobe Connect releases. Organizations using Adobe Connect should prioritize patching exposed deployments and reviewing the vendor advisory for fixed versions and mitigation guidance.
May 24, 2026