Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

A reflected Cross‑Site Scripting vulnerability exists in Adobe Connect that allows an attacker to inject and execute arbitrary JavaScript in the victim’s browser when the victim visits a crafted URL. This flaw can lead to session hijacking, credential theft, or other malicious actions performed with the victim’s privileges. The weakness is identified as CWE‑79.

Affected Systems

Adobe Connect versions 2025.3, 12.10 and all earlier releases are affected. No newer versions are listed as impacted, suggesting that patching or upgrading mitigates the issue.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate severity. There is no EPSS data available, and the vulnerability is not part of the CISA KEV catalog. Based on the description, the attack vector is inferred to be via a user‑directed URL link that exploits reflected input processing. The scope change implies that the attack can affect components beyond the initial context, potentially escalating to broader system compromise.

Generated by OpenCVE AI on April 14, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Adobe Connect that addresses CVE‑2026‑21331, or upgrade to a version newer than 2025.3/12.10.
  • If an immediate patch is unavailable, disable or restrict access to the affected Web pages until remediation is applied.
  • Instruct users to avoid clicking unfamiliar or suspicious URLs that might trigger the XSS payload.

Generated by OpenCVE AI on April 14, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Title Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T18:33:21.646Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21331

cve-icon Vulnrichment

Updated: 2026-04-14T18:33:05.747Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:43.953

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-21331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:54:02Z

Weaknesses