Platform
adobe
Component
adobe-commerce
Fixed in
2.4.5-p15
2.4.6-p13
2.4.7-p8
2.4.8-p3
2.4.9-alpha3
CVE-2026-21291 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce. This vulnerability allows a high-privileged attacker to inject malicious scripts into vulnerable form fields, potentially compromising user sessions and data integrity. The vulnerability impacts versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. A fix is available in a later version.
Successful exploitation of CVE-2026-21291 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the Adobe Commerce storefront, and theft of sensitive user data such as login credentials or personal information. Because the vulnerability requires user interaction (browsing to the vulnerable page), the attacker needs to lure victims to the compromised form field. The blast radius is limited to users interacting with the affected form fields, but the potential impact on those users can be significant.
CVE-2026-21291 was publicly disclosed on 2026-03-11. The vulnerability's reliance on user interaction suggests a lower probability of widespread exploitation compared to remote code execution vulnerabilities. No public proof-of-concept (POC) code has been identified at the time of writing, but the XSS nature of the vulnerability means that exploitation is likely possible. Check CISA KEV for updates.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21291 is to upgrade Adobe Commerce to a version that includes the security patch. Adobe has likely released a fixed version; consult the official Adobe Commerce security advisories for details. If immediate upgrading is not possible, consider implementing input validation and output encoding on form fields to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor Adobe Commerce logs for suspicious activity related to form submissions.
Update Adobe Commerce to the latest available version. Ensure you apply the security patches provided by Adobe to mitigate the stored XSS vulnerability. Refer to the Adobe security bulletin for detailed instructions on updating and patching.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21291 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce versions 0–2.4.4-p16, allowing attackers to inject malicious scripts into form fields.
If you are using Adobe Commerce versions 0–2.4.4-p16, you are potentially affected by this vulnerability. Check the official Adobe advisory for confirmation.
Upgrade to a patched version of Adobe Commerce as recommended by Adobe. Consult the official Adobe Commerce security advisories for the latest fixed version.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests it could be exploited. Monitor your systems and implement mitigations.
Refer to the official Adobe Security Bulletins page for the latest information and advisories regarding CVE-2026-21291.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.