Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (DOM‑based XSS)
Action: Patch Now
AI Analysis

Impact

Adobe Connect versions up to 2025.3 and 12.10 contain a DOM‑based Cross‑Site Scripting flaw that lets an attacker inject and run arbitrary JavaScript in a victim’s browser. The flaw is triggered when a user visits a crafted webpage or follows a specially designed link; it does not require elevated privileges beyond a normal user session. Once exploited, an attacker can hijack the browser context, steal session data, or perform other malicious actions. This vulnerability is a CWE‑79 type flaw.

Affected Systems

The affected product is Adobe Connect. All installations running version 2025.3, 12.10, or any earlier release are vulnerable. Administrators should inventory their deployments, verify the version, and plan to upgrade to a patched release as soon as possible.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity. Exploitation requires user interaction, which somewhat limits spontaneous attacks, but the high impact means that a successful event can lead to serious confidentiality or integrity compromise. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the elevated severity and potential for widespread impact justify immediate remediation.

Generated by OpenCVE AI on April 14, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current Adobe Connect version by logging into the administration console or reviewing the version information page
  • Download and install the latest available patch or upgrade to a version newer than 2025.3 or 12.10 from the official Adobe website
  • Verify the upgrade by re‑checking the version and testing application functionality

Generated by OpenCVE AI on April 14, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Title Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T17:55:44.469Z

Reserved: 2026-02-18T22:02:41.383Z

Link: CVE-2026-27246

cve-icon Vulnrichment

Updated: 2026-04-14T17:55:40.225Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:56.050

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:54:04Z

Weaknesses