Platform
adobe
Component
adobe-connect
Fixed in
12.10.1
CVE-2026-27246 describes a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 2025.3 and earlier, including 12.10. Successful exploitation could allow an attacker to inject malicious scripts, potentially leading to account compromise or session hijacking. The vulnerability impacts users of Adobe Connect running affected versions, but requires user interaction to trigger the script execution. A fix is available in version 2025.3.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a web page viewed by other Adobe Connect users. This can be achieved by crafting a malicious URL or embedding the script within a compromised web page. Upon visiting the malicious page, the victim's browser will execute the attacker's script, potentially granting the attacker access to sensitive information such as session cookies, authentication tokens, or other credentials. The attacker could then impersonate the victim, perform actions on their behalf, or steal data. The scope of this vulnerability has been updated to reflect the potential for broader impact.
CVE-2026-27246 was publicly disclosed on April 14, 2026. While no public exploits have been confirmed, the CRITICAL CVSS score indicates a high potential for exploitation. The vulnerability requires user interaction, but the potential impact is significant. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.10% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27246 is to upgrade Adobe Connect to version 2025.3 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing temporary workarounds such as strict input validation and output encoding on user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide some protection. Regularly review Adobe Connect's security advisories for further guidance and updates.
Update Adobe Connect to version 2025.3 or later to mitigate the XSS vulnerability. See the Adobe security page for more details and upgrade instructions: https://helpx.adobe.com/security/products/connect/apsb26-37.html
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27246 is a CRITICAL DOM-based Cross-Site Scripting vulnerability in Adobe Connect versions 0.0.0–12.10, allowing attackers to inject malicious scripts.
You are affected if you are using Adobe Connect versions 2025.3 and earlier, including 12.10. Check your version and upgrade accordingly.
Upgrade to Adobe Connect version 2025.3 or later to resolve the vulnerability. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no public exploits have been confirmed, the CRITICAL severity suggests a high potential for exploitation. Monitor security advisories.
Refer to the official Adobe Security Bulletin for CVE-2026-27246 on the Adobe Security Advisories website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.