Plattform
adobe
Komponente
adobe-connect
Behoben in
12.10.1
CVE-2026-27246 describes a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 2025.3 and earlier, including 12.10. Successful exploitation could allow an attacker to inject malicious scripts, potentially leading to account compromise or session hijacking. The vulnerability impacts users of Adobe Connect running affected versions, but requires user interaction to trigger the script execution. A fix is available in version 2025.3.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a web page viewed by other Adobe Connect users. This can be achieved by crafting a malicious URL or embedding the script within a compromised web page. Upon visiting the malicious page, the victim's browser will execute the attacker's script, potentially granting the attacker access to sensitive information such as session cookies, authentication tokens, or other credentials. The attacker could then impersonate the victim, perform actions on their behalf, or steal data. The scope of this vulnerability has been updated to reflect the potential for broader impact.
CVE-2026-27246 was publicly disclosed on April 14, 2026. While no public exploits have been confirmed, the CRITICAL CVSS score indicates a high potential for exploitation. The vulnerability requires user interaction, but the potential impact is significant. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Organizations and individuals using Adobe Connect for online meetings, webinars, and training sessions are at risk. This includes educational institutions, businesses, and government agencies. Users who frequently interact with external content or share links within Adobe Connect are particularly vulnerable.
• generic web: Monitor access logs for unusual URL patterns containing suspicious JavaScript code. Use curl to test endpoints for XSS vulnerabilities.
curl -X GET 'https://your-adobe-connect-server/malicious_url' -d 'alert(1)'• adobe: Review Adobe Connect server logs for unusual activity or errors related to script execution. Check for unauthorized modifications to web page content. • generic web: Implement Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
disclosure
Exploit-Status
EPSS
0.10% (29% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27246 is to upgrade Adobe Connect to version 2025.3 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing temporary workarounds such as strict input validation and output encoding on user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide some protection. Regularly review Adobe Connect's security advisories for further guidance and updates.
Actualice Adobe Connect a la versión 2025.3 o posterior para mitigar la vulnerabilidad de XSS. Consulte la página de seguridad de Adobe para obtener más detalles e instrucciones de actualización: https://helpx.adobe.com/security/products/connect/apsb26-37.html
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27246 is a CRITICAL DOM-based Cross-Site Scripting vulnerability in Adobe Connect versions 0.0.0–12.10, allowing attackers to inject malicious scripts.
You are affected if you are using Adobe Connect versions 2025.3 and earlier, including 12.10. Check your version and upgrade accordingly.
Upgrade to Adobe Connect version 2025.3 or later to resolve the vulnerability. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no public exploits have been confirmed, the CRITICAL severity suggests a high potential for exploitation. Monitor security advisories.
Refer to the official Adobe Security Bulletin for CVE-2026-27246 on the Adobe Security Advisories website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.