Platform
adobe
Component
adobe-connect
Fixed in
12.10.1
CVE-2026-27245 describes a reflected Cross-Site Scripting (XSS) vulnerability present in Adobe Connect versions 2025.3 and earlier, including 12.10. Successful exploitation could allow an attacker to inject malicious scripts into a web page, potentially leading to account compromise or session hijacking. The vulnerability impacts users running affected versions of Adobe Connect, and a fix is available in version 2025.3.
This XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session on an Adobe Connect server. This can be leveraged to steal cookies, redirect users to malicious websites, deface the Adobe Connect interface, or even gain control of the user's account. The attack requires user interaction, specifically a victim visiting a specially crafted URL or interacting with a compromised web page. The scope of this vulnerability has been updated to reflect the potential for broader impact.
CVE-2026-27245 was publicly disclosed on 2026-04-14. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential impact make this a high-priority vulnerability. No public proof-of-concept exploits are currently available, but the vulnerability's nature suggests that such exploits are likely to emerge. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.10% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27245 is to upgrade Adobe Connect to version 2025.3 or later. If immediate upgrading is not possible, consider implementing strict input validation and output encoding on all user-supplied data within Adobe Connect. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of defense. Regularly review and update Adobe Connect's security configuration to minimize the attack surface. After upgrade, confirm by testing a known vulnerable endpoint with a benign XSS payload to ensure it is properly sanitized.
Update Adobe Connect to version 2025.3 or later to mitigate the Cross-Site Scripting (XSS) vulnerability. This update addresses the failure to validate user input, preventing the injection of malicious scripts. See the Adobe security page for more details and installation instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27245 is a critical Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 0.0.0–12.10, allowing attackers to inject malicious scripts.
If you are using Adobe Connect versions 2025.3 or earlier, including 12.10, you are potentially affected by this vulnerability.
Upgrade Adobe Connect to version 2025.3 or later to resolve this vulnerability. Consider WAF rules as an interim measure.
While no active exploitation campaigns have been publicly reported, the vulnerability's nature suggests that exploitation is likely.
Refer to the official Adobe Security Bulletin for CVE-2026-27245 on the Adobe Security Advisories website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.