Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting (Reflected XSS)
Action: Apply patch
AI Analysis

Impact

Adobe Connect versions 2025.3, 12.10 and earlier contain a reflected cross‑site scripting flaw. When a user opens a specially crafted URL that targets a vulnerable page, the application reflects user supplied input back into the browser without proper sanitization, allowing malicious JavaScript to run in the victim’s browser. The script executes in the context of the browser session, which can lead to manipulation of page content, interception of user actions, or redirection to malicious sites.

Affected Systems

The affected product is Adobe Connect, specifically installations running version 2025.3, 12.10, or any earlier release. Administrators should verify the exact version and refer to Adobe’s security advisory for guidance on updates.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity, and the change of scope signals that the vulnerability could potentially affect additional components beyond the initial target. Exploitation requires the victim to follow a malicious link, which typically involves phishing or social engineering, meaning the attack vector is user interaction. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but it remains an active risk for systems lacking a patch.

Generated by OpenCVE AI on April 14, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the Adobe Connect version currently deployed.
  • Download and apply the latest Adobe Connect patch or upgrade to a version newer than 2025.3 or 12.10.
  • If a patch is not immediately available, restrict access to URLs that could trigger the reflected XSS vulnerability or disable relevant functionality until a patch can be applied.
  • Educate users to avoid clicking suspicious links and remind them to report any unexpected page behavior.
  • After remediation, confirm that no vulnerable endpoints remain by testing or reviewing Adobe Connect security advisories and logs.

Generated by OpenCVE AI on April 14, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
Title Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Connect Connect Connect Desktop Application
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:18:31.682Z

Reserved: 2026-03-30T17:30:36.489Z

Link: CVE-2026-34614

cve-icon Vulnrichment

Updated: 2026-04-14T18:34:07.984Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:17:36.200

Modified: 2026-04-22T19:36:33.513

Link: CVE-2026-34614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:54:05Z

Weaknesses