Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-04-14
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting with potential privilege escalation
Action: Immediate Patch
AI Analysis

Impact

Adobe Connect versions 2025.3, 12.10 and earlier contain a reflected cross‑site scripting flaw that allows a low‑privileged attacker to inject malicious scripts into a web page. If executed, the script can elevate an attacker’s access or control over the victim’s account or session. The vulnerability is tied to CWE‑79 and changes the scope of the affected system.

Affected Systems

The flaw affects Adobe Connect from versions 2025.3, 12.10 and all previous releases. Users running any of these releases are vulnerable to XSS and the associated privilege escalation risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. Attack requires user interaction, such as visiting a maliciously crafted URL or interacting with a compromised page. EPSS data is not available, but the flaw is not listed in CISA’s KEV catalog. Because the vulnerability changes scope, an attacker with a low‑privilege account can reach higher‑privilege levels once the script runs. The likely vector is a web‑based attack delivered through the Adobe Connect interface.

Generated by OpenCVE AI on April 14, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch or upgrade to a version newer than 2025.3 and 12.10 as detailed in Adobe’s PSB26‑37 bulletin.

Generated by OpenCVE AI on April 14, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Title Adobe Connect | Cross-site Scripting (XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:10:24.817Z

Reserved: 2026-03-30T17:30:36.490Z

Link: CVE-2026-34617

cve-icon Vulnrichment

Updated: 2026-04-14T19:10:21.625Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:36.540

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-34617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:54:01Z

Weaknesses