Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected) that can execute arbitrary JavaScript in a victim’s browser
Action: Immediate Patch
AI Analysis

Impact

Adobe Connect versions 2025.3, 12.10 and earlier contain a reflected cross‑site scripting flaw that allows an attacker to inject malicious JavaScript into a page a user visits. The injected script can execute in the victim’s browser context, potentially enabling the attacker to hijack the session, steal credentials, or perform unauthorized actions on behalf of the user. This weakness is identified as CWE‑79.

Affected Systems

All installations of Adobe Connect running version 2025.3, 12.10, or any earlier release are vulnerable. The issue applies to every deployment of the Connect web application that has not been updated beyond these releases, regardless of operating system.

Risk and Exploitability

The vulnerability is rated at a CVSS score of 9.3, indicating high severity. The EPSS score of < 1% shows a very low probability of exploitation at present, though the flaw could be leveraged remotely once a malicious link is discovered. The attack vector is remote user‑initiated via a crafted URL or compromised page, requiring only that a user visit the vulnerable resource. The scope is changed, so the impact potentially extends to any user with access to the affected web interface.

Generated by OpenCVE AI on April 29, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Connect patch or upgrade to a supported version that includes the fix
  • Restrict external access to the Connect web interface using firewall or network segmentation so only trusted users can reach the application
  • Deploy web content filtering or URL blocklists to block malicious links and monitor for XSS activity

Generated by OpenCVE AI on April 29, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Title Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect Connect Connect Desktop Application
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-28T02:24:16.620Z

Reserved: 2026-02-18T22:02:41.383Z

Link: CVE-2026-27245

cve-icon Vulnrichment

Updated: 2026-04-14T19:23:01.736Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:55.890

Modified: 2026-04-28T15:40:01.003

Link: CVE-2026-27245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses