Platform
adobe
Component
adobe-commerce
Fixed in
2.4.5-p15
2.4.6-p13
2.4.7-p8
2.4.8-p3
2.4.9-alpha3
CVE-2026-21290 describes a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce. This vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields, potentially leading to session takeover and compromising data integrity. The vulnerability affects versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. Adobe has released patches to address this issue.
Successful exploitation of CVE-2026-21290 allows an attacker to inject arbitrary JavaScript code into vulnerable form fields within Adobe Commerce. When a victim interacts with a page containing the injected script, the malicious code executes within their browser context. This can lead to several severe consequences, including session hijacking, where the attacker gains control of the victim's account. Furthermore, the attacker could potentially steal sensitive data, modify website content, or redirect users to malicious sites. The high confidentiality and integrity impact stems from the potential for complete account compromise and data manipulation.
CVE-2026-21290 was publicly disclosed on March 11, 2026. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21290 is to upgrade to a patched version of Adobe Commerce. Adobe has released updates to address this vulnerability; refer to the official Adobe Security Bulletin for specific version details. If immediate patching is not feasible, consider implementing input validation and output encoding on all form fields to sanitize user-supplied data. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide an additional layer of defense. Regularly review and update security configurations to minimize the attack surface.
Update Adobe Commerce to the latest available version. Refer to the Adobe security bulletin for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21290 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 0–2.4.4-p16, allowing attackers to inject malicious scripts.
If you are running Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, or 2.4.4-p16 or earlier, you are potentially affected.
Upgrade to a patched version of Adobe Commerce as specified in the official Adobe Security Bulletin. Implement input validation and output encoding as a temporary workaround.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Adobe Security Bulletin for detailed information and patching instructions: [https://www.adobe.com/security/advisories/](https://www.adobe.com/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.