Cyber Resilience

CVE-2026-21290

High

Published: 11 March 2026

Published
11 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0045 35.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21290 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Commerce. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-21290 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. Published on 2026-03-11, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The issue stems from insufficient input sanitization in vulnerable form fields, enabling attackers to inject malicious JavaScript that persists on the site.

A low-privileged attacker can exploit this vulnerability by submitting malicious scripts into the affected form fields. When a victim user browses to the page displaying the injected content, the JavaScript executes in their browser context, potentially enabling session takeover. This results in high confidentiality and integrity impacts, though no availability impact. Successful exploitation requires user interaction, as the victim must visit the compromised page.

Adobe's security bulletin APSB26-05, available at https://helpx.adobe.com/security/products/magento/apsb26-05.html, provides guidance on mitigation, including recommended patches for the affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…

more

executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS directly enables exploitation of public-facing web app (T1190) and facilitates browser session hijacking or web session cookie theft for takeover (T1185/T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21284Same product: Adobe Commerce
CVE-2025-24438Same product: Adobe Commerce
CVE-2026-34686Same product: Adobe Commerce
CVE-2025-24412Same product: Adobe Commerce
CVE-2025-24414Same product: Adobe Commerce
CVE-2025-24413Same product: Adobe Commerce
CVE-2026-21311Same product: Adobe Commerce
CVE-2025-24417Same product: Adobe Commerce
CVE-2025-24410Same product: Adobe Commerce
CVE-2026-21361Same product: Adobe Commerce

Affected Assets

adobe
commerce b2b
1.3.3, 1.3.4, 1.3.5, 1.4.2, 1.5.2 · ≤ 1.3.3
adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4
adobe
magento
2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9 · ≤ 2.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of insufficient input sanitization in vulnerable form fields, preventing malicious script injection in Adobe Commerce.

prevent

Filters malicious JavaScript on output when victims browse pages with injected content, blocking execution in their browsers.

prevent

Requires timely application of patches from Adobe's APSB26-05 bulletin to remediate the stored XSS flaw in affected versions.

References