Platform
adobe
Component
adobe-commerce
Fixed in
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.9
CVE-2026-21292 describes a stored Cross-Site Scripting (XSS) vulnerability impacting Adobe Commerce. This vulnerability allows a low-privileged attacker to inject malicious scripts into vulnerable form fields, potentially leading to session hijacking or defacement. The vulnerability affects versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. A fix is available, requiring an upgrade to a patched version.
Successful exploitation of CVE-2026-21292 allows an attacker to inject arbitrary JavaScript code into vulnerable form fields within Adobe Commerce. This code executes in the context of the user's browser when they interact with the affected page. The impact can range from simple defacement of the page to more severe consequences like session hijacking, phishing attacks, or redirection to malicious websites. Because the attack requires user interaction (browsing to the vulnerable page), the attacker needs to entice a victim to visit the compromised area. The blast radius is limited to users who interact with the injected script, but this could encompass a significant portion of the Commerce platform's user base.
CVE-2026-21292 was publicly disclosed on 2026-03-11. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's CVSS score of 5.4 (MEDIUM) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Monitor Adobe's security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21292 is to upgrade Adobe Commerce to a version that includes the security patch. Adobe has released fixes for affected versions. If immediate upgrading is not possible, consider implementing input validation and output encoding on form fields to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies and conduct penetration testing to identify and address potential vulnerabilities.
Update Adobe Commerce to the latest available version. Refer to the Adobe security bulletin for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21292 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce affecting versions 0–2.4.4-p16, allowing attackers to inject malicious scripts into form fields.
You are affected if you are running Adobe Commerce versions 0–2.4.4-p16. Check your version and upgrade to a patched release as soon as possible.
Upgrade Adobe Commerce to a version containing the security patch. Consult Adobe's security advisories for specific fixed versions.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and should be addressed proactively.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/bulletins/adobe-commerce.html](https://www.adobe.com/security/bulletins/adobe-commerce.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.