Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Browser Code Execution
Action: Immediate Patch
AI Analysis

Impact

Adobe Connect suffered a reflected Cross‑Site Scripting flaw that allows an attacker to insert malicious JavaScript into a vulnerable page. If a user visits a specially crafted URL, the script executes in the victim’s browser under the context of the application. This can lead to credential theft, session hijacking, defacement, and potentially other malicious actions, compromising user confidentiality and the integrity of data within the session. The weakness is identified as CWE‑79 and the attacking vector is a reflected XSS scenario.

Affected Systems

Adobe Connect versions 2025.3, 12.10 and earlier are impacted. The vulnerability affects the product sold by Adobe as Adobe Connect.

Risk and Exploitability

The CVSS score of 9.3 highlights a high severity impact, and while an EPSS score is not available, the absence of an entry in the KEV catalog does not reduce the risk. The likely attack path requires an attacker to persuade a victim to click a malicious link, which is a commonly used technique for XSS exploits. Given the wide availability of the product and the popularity of web‑based meetings, the potential for exploitation is significant, and the scope change indicates that the vulnerability can affect all users of the affected installations.

Generated by OpenCVE AI on April 14, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Adobe Connect 2025.4 or later or apply the vendor‑issued patch
  • Ensure the application is served over HTTPS to reduce data exposure
  • Implement web‑application firewall rules to block suspicious script content
  • Monitor web logs for anomalous URL access patterns
  • Apply generic XSS mitigation such as input validation and output encoding if a patch is not immediately available

Generated by OpenCVE AI on April 14, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Title Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:10:50.684Z

Reserved: 2026-02-18T22:02:41.383Z

Link: CVE-2026-27243

cve-icon Vulnrichment

Updated: 2026-04-14T19:10:46.970Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:55.730

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:54:08Z

Weaknesses