Plattform
adobe
Komponente
adobe-commerce
Behoben in
2.4.5-p15
2.4.6-p13
2.4.7-p8
2.4.8-p3
2.4.9-alpha3
CVE-2026-21291 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce. This vulnerability allows a high-privileged attacker to inject malicious scripts into vulnerable form fields, potentially compromising user sessions and data integrity. The vulnerability impacts versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. A fix is available in a later version.
Successful exploitation of CVE-2026-21291 allows an attacker to inject arbitrary JavaScript code into Adobe Commerce. This code executes within the context of the victim's browser when they interact with the affected form field. The attacker could then steal session cookies, redirect users to malicious websites, deface the website, or perform other actions as the victim user. Because the vulnerability requires user interaction, the attacker needs to entice a user to visit the compromised page. The blast radius is limited to users who interact with the malicious form field, but the potential impact on those users can be significant, including account takeover and data theft.
CVE-2026-21291 was publicly disclosed on 2026-03-11. No public proof-of-concept (PoC) code has been identified as of this date. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Organizations using Adobe Commerce versions 0–2.4.4-p16, particularly those with high-traffic storefronts or sensitive customer data, are at risk. Shared hosting environments where multiple tenants share the same Adobe Commerce instance are also at increased risk, as a compromise on one tenant's account could potentially affect others.
• magento / web:
grep -r "<script" /var/www/html/app/code/Magento/...• magento / web:
curl -I https://your-magento-site.com/form-page | grep Content-Security-Policy• wordpress / composer / npm: Review plugin code for improper output encoding of user-supplied data in form fields. • generic web: Monitor access logs for unusual requests targeting form submission endpoints.
disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-21291 is to upgrade Adobe Commerce to a version that includes the fix. Adobe has not released a specific fixed version in the provided data; consult the official Adobe Commerce security advisories for the latest patched release. As a temporary workaround, consider implementing strict input validation and output encoding on all form fields to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update security policies and procedures to minimize the risk of XSS vulnerabilities.
Aktualisieren Sie Adobe Commerce auf die neueste verfügbare Version. Stellen Sie sicher, dass die von Adobe bereitgestellten Sicherheitsupdates angewendet werden, um die persistente (stored) XSS-Schwachstelle zu entschärfen. Sehen Sie im Adobe Security Bulletin nach detaillierten Anweisungen zum Aktualisieren und Patchen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-21291 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce versions 0–2.4.4-p16, allowing attackers to inject malicious scripts into form fields.
If you are using Adobe Commerce versions 0–2.4.4-p16, you are potentially affected by this vulnerability. Check the official Adobe advisory for confirmation.
Upgrade to a patched version of Adobe Commerce as recommended by Adobe. Consult the official Adobe Commerce security advisories for the latest fixed version.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests it could be exploited. Monitor your systems and implement mitigations.
Refer to the official Adobe Security Bulletins page for the latest information and advisories regarding CVE-2026-21291.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.