Platform
adobe
Component
adobe-connect
Fixed in
12.10.1
CVE-2026-34617 describes a Cross-Site Scripting (XSS) vulnerability present in Adobe Connect versions 2025.3 and earlier, including 12.10. Successful exploitation could allow a low-privileged attacker to inject malicious scripts, potentially leading to privilege escalation and compromise of user accounts or sessions. The vulnerability impacts versions from 0.0.0 through 12.10, and a fix is available in version 2025.3.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a web page viewed by other Adobe Connect users. The attacker would need to entice a victim to visit a specially crafted URL or interact with a compromised web page within the Adobe Connect environment. Successful exploitation could result in the attacker stealing session cookies, redirecting users to malicious websites, or even gaining control of the user's account. The scope of this vulnerability has been updated to reflect the potential for privilege escalation, making it a more significant threat than a simple information disclosure issue. The attack surface is broad, as any user interacting with a vulnerable page is potentially at risk.
CVE-2026-34617 was publicly disclosed on April 14, 2026. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.7 (HIGH) indicates a significant potential impact if exploited.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34617 is to upgrade Adobe Connect to version 2025.3 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing strict input validation and output encoding on all user-supplied data within Adobe Connect. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor Adobe Connect logs for suspicious activity, particularly requests containing unusual JavaScript code. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through a URL and verifying that it is properly sanitized.
Actualice Adobe Connect a la versión 2025.3 o posterior para mitigar la vulnerabilidad de XSS. Consulte la página de Adobe Security Bulletin APSB26-37 para obtener más detalles e instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34617 is a Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 0.0.0–12.10, allowing attackers to inject malicious scripts.
If you are using Adobe Connect versions 0.0.0 through 12.10, you are potentially affected by this vulnerability.
Upgrade Adobe Connect to version 2025.3 or later to remediate the vulnerability. Implement input validation and WAF rules as interim measures.
There is currently no evidence of active exploitation in the wild, but the HIGH severity score warrants immediate attention.
Refer to the official Adobe Security Bulletin for CVE-2026-34617 on the Adobe Security Advisories website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.