Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (DOM‑based XSS)
Action: Patch Now
AI Analysis

Impact

Adobe Connect versions 2025.3, 12.10 and earlier contain a DOM‑based Cross‑Site Scripting flaw that allows an attacker to inject malicious JavaScript into a page. The vulnerability is triggered when a user visits a crafted URL or interacts with a compromised web page, and by exploiting it an attacker can gain elevated access or control over the victim’s account or session. This is a CWE‑79 type flaw that can be used to hijack the browser context, steal session data, or perform other malicious actions. The flaw also changes the scope of the application code, potentially expanding the attack surface for the adversary.

Affected Systems

The affected product is Adobe Connect. Deployments running version 2025.3, 12.10, or any earlier release are vulnerable. Administrators should inventory their installations, verify the deployed version, and plan to upgrade to a patch‑provided release as soon as possible.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity. Exploitation requires user interaction, which somewhat limits spontaneous attacks, but a successful event can lead to serious confidentiality or integrity compromise. The EPSS score is < 1%, indicating a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, yet the elevated severity and potential for widespread impact justify immediate remediation.

Generated by OpenCVE AI on April 28, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Assess the current Adobe Connect deployment to confirm if it is running a vulnerable version
  • Download and apply the latest official patch or upgrade to a version newer than 2025.3 or 12.10 from Adobe’s website
  • Conduct functional regression testing to verify that critical features continue to work after the patch or upgrade

Generated by OpenCVE AI on April 28, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect Connect Connect Desktop Application
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-28T02:24:25.586Z

Reserved: 2026-02-18T22:02:41.383Z

Link: CVE-2026-27246

cve-icon Vulnrichment

Updated: 2026-04-14T17:55:40.225Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:56.050

Modified: 2026-04-28T15:40:03.563

Link: CVE-2026-27246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses