Plattform
adobe
Komponente
adobe-commerce
Behoben in
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.9
CVE-2026-21292 describes a stored Cross-Site Scripting (XSS) vulnerability impacting Adobe Commerce. This vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields, potentially leading to session hijacking or defacement. The vulnerability affects versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. A fix is available, requiring an upgrade to a patched version.
Successful exploitation of CVE-2026-21292 allows an attacker to inject arbitrary JavaScript code into vulnerable form fields within Adobe Commerce. This code will execute in the context of the user's browser when they interact with the affected page. The impact can range from simple defacement of the website to more severe consequences, such as stealing user session cookies, redirecting users to malicious websites, or even gaining unauthorized access to sensitive data. The requirement for user interaction limits the immediate scope of the attack, but widespread use of Adobe Commerce makes it a significant risk. This vulnerability shares similarities with other XSS vulnerabilities, where malicious scripts can be injected to compromise user accounts and data.
CVE-2026-21292 was publicly disclosed on March 11, 2026. The vulnerability's CVSS score of 5.4 (MEDIUM) indicates a moderate risk. As of this writing, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not currently listed on the CISA KEV catalog. The requirement for user interaction lowers the immediate exploitation probability.
Organizations heavily reliant on Adobe Commerce for their e-commerce operations are at significant risk. Specifically, those running older, unpatched versions (0–2.4.4-p16) are particularly vulnerable. Shared hosting environments where multiple tenants share the same server infrastructure could also be affected if one tenant's instance is compromised.
• wordpress / composer / npm:
grep -r "<script" /var/www/html/app/code/Magento/...• generic web:
curl -I https://your-magento-site.com/vulnerable-form | grep Content-Security-Policy• generic web: Review access logs for unusual POST requests to form submission endpoints, especially those containing suspicious characters or patterns.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-21292 is to upgrade to a patched version of Adobe Commerce. Adobe has released updates to address this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds such as strict input validation and output encoding on all form fields. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update security policies to prevent future XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a vulnerable form field and verifying that it is properly sanitized.
Aktualisieren Sie Adobe Commerce auf die neueste verfügbare Version. Weitere Details und spezifische Update-Anweisungen finden Sie im Adobe Security Bulletin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-21292 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce affecting versions 0–2.4.4-p16, allowing attackers to inject malicious scripts into form fields.
You are affected if you are running Adobe Commerce versions 0–2.4.4-p16. Check your version and upgrade to a patched release as soon as possible.
Upgrade Adobe Commerce to a version containing the security patch. Consult Adobe's security advisories for specific fixed versions.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and should be addressed proactively.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/bulletins/adobe-commerce.html](https://www.adobe.com/security/bulletins/adobe-commerce.html)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.