Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS with potential for elevated access
Action: Apply Vendor Patch
AI Analysis

Impact

Adobe Connect versions 2025.3, 12.10 and earlier contain a reflected Cross‑Site Scripting flaw that allows an attacker to inject arbitrary script code into responses. When a victim clicks a crafted URL or visits a compromised page, the script executes in the victim’s browser, potentially enabling the attacker to hijack the user’s session, steal credentials, or execute privileged actions. The flaw is identified as CWE‑79 and the change in scope signals that all users of affected installations are at risk.

Affected Systems

Adobe Connect product versions 2025.3, 12.10, and all earlier releases are impacted. The vulnerability applies to the web‑based application and the desktop clients for macOS and Windows as listed in the affected CPE set.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity. Although the EPSS score is less than 1%, the lack of a KEV listing does not reduce the risk because the vulnerability still requires user interaction, which is a common entry point for XSS attacks. Attackers must convince a victim to visit a maliciously crafted link or compromised page, but once executed the exploit can grant inflated privileges or full account takeover. The scope change underscores that all users of the affected installations would be exposed if the vulnerability is exploited.

Generated by OpenCVE AI on April 29, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe Connect fix or upgrade to a version released after the vulnerability is addressed, following the instructions in the Adobe security advisory
  • Ensure that the application is accessed exclusively over HTTPS to mitigate transport‑level attacks
  • Deploy web‑application firewall rules or Content Security Policy directives that block malicious script injection

Generated by OpenCVE AI on April 29, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Title Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect Connect Connect Desktop Application
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-28T02:24:07.578Z

Reserved: 2026-02-18T22:02:41.383Z

Link: CVE-2026-27243

cve-icon Vulnrichment

Updated: 2026-04-14T19:10:46.970Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:55.730

Modified: 2026-04-28T15:39:57.827

Link: CVE-2026-27243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses