Platform
adobe
Component
adobe-connect
Fixed in
12.10.1
CVE-2026-27243 describes a reflected Cross-Site Scripting (XSS) vulnerability present in Adobe Connect versions 2025.3 and earlier, including 12.10. Successful exploitation allows an attacker to inject malicious scripts into a web page viewed by a victim. This can lead to account compromise or session hijacking. The vulnerability is resolved in Adobe Connect version 2025.3.
The impact of this XSS vulnerability is significant. An attacker can leverage it to execute arbitrary JavaScript code within the context of a victim's browser session on the Adobe Connect platform. This could involve stealing session cookies, redirecting users to malicious websites, or defacing the Adobe Connect interface. The attacker needs to trick the victim into clicking a malicious link or visiting a compromised page, requiring some level of social engineering. Given the collaborative nature of Adobe Connect, successful exploitation could impact multiple users within a meeting or training session, amplifying the potential damage. The scope change indicates a refinement in understanding the vulnerability's reach.
CVE-2026-27243 was published on April 14, 2026. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). No public exploits or active campaigns have been reported at the time of writing, but the ease of exploitation inherent in reflected XSS vulnerabilities means it remains a potential threat. It is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term, but vigilance is still advised.
Exploit Status
EPSS
0.10% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27243 is to upgrade Adobe Connect to version 2025.3 or later. If immediate upgrading is not feasible, consider implementing strict input validation and output encoding on all user-supplied data within Adobe Connect. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update Adobe Connect's security configuration to ensure best practices are followed. After upgrading, verify the fix by attempting to inject a simple JavaScript payload via a URL parameter and confirming it is properly sanitized.
Actualice Adobe Connect a la versión 2025.3 o posterior para mitigar la vulnerabilidad de Cross-Site Scripting (XSS). Consulte la página de seguridad de Adobe para obtener más detalles e instrucciones de actualización: https://helpx.adobe.com/security/products/connect/apsb26-37.html
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27243 is a critical reflected Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 0.0.0–12.10. An attacker can inject malicious scripts via crafted URLs, potentially gaining control of user accounts.
If you are using Adobe Connect versions 2025.3 or earlier, including 12.10, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
The recommended fix is to upgrade Adobe Connect to version 2025.3 or later. Implement input validation and WAF rules as interim measures if upgrading is not immediately possible.
No active exploitation campaigns have been publicly reported at this time, but the ease of exploitation warrants caution and prompt patching.
Refer to the official Adobe Security Bulletin for CVE-2026-27243 on the Adobe Security Advisories website: [https://www.adobe.com/security/advisories/](https://www.adobe.com/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.