Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected) that can execute arbitrary JavaScript in a victim’s browser
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw that allows an attacker to embed malicious JavaScript in a web page that a victim visits. When a victim clicks a crafted URL, the script runs with the privileges of the user’s browser session, potentially enabling information theft, session hijack, or defacement. The severity assessment notes a change of scope in the CVSS calculation, indicating that an attacker could gain privileges beyond the original context.

Affected Systems

Adobe Connect deployments running version 2025.3, 12.10 or any earlier release are affected. The issue applies to all installations of Adobe Connect that have not been updated beyond these versions.

Risk and Exploitability

The CVSS score is 9.3, indicating high severity. No EPSS score is available, but the lack of mitigation in the public notes suggests the exploit is likely to be attempted once disclosed. The attack vector is remote user‑initiated via a malicious link, requiring only that a victim visit the vulnerable page. Because the flaw is reflected and does not require authentication or privileged access, the exposure to a large user base is substantial.

Generated by OpenCVE AI on April 14, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Connect patch or upgrade to a supported version that includes the fix
  • Verify the version of your installation against the Adobe Connect release notes
  • If urgent patching is not possible, restrict external access to the Connect web interface or use network controls to limit exposure to untrusted traffic

Generated by OpenCVE AI on April 14, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Title Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:27:37.316Z

Reserved: 2026-02-18T22:02:41.383Z

Link: CVE-2026-27245

cve-icon Vulnrichment

Updated: 2026-04-14T19:23:01.736Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:55.890

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:54:06Z

Weaknesses