CVE-2026-21290
Published: 11 March 2026
Summary
CVE-2026-21290 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Commerce. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause of insufficient input sanitization in vulnerable form fields, preventing malicious script injection in Adobe Commerce.
Filters malicious JavaScript on output when victims browse pages with injected content, blocking execution in their browsers.
Requires timely application of patches from Adobe's APSB26-05 bulletin to remediate the stored XSS flaw in affected versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation of public-facing web app (T1190) and facilitates browser session hijacking or web session cookie theft for takeover (T1185/T1539).
NVD Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…
more
executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Deeper analysisAI
CVE-2026-21290 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. Published on 2026-03-11, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The issue stems from insufficient input sanitization in vulnerable form fields, enabling attackers to inject malicious JavaScript that persists on the site.
A low-privileged attacker can exploit this vulnerability by submitting malicious scripts into the affected form fields. When a victim user browses to the page displaying the injected content, the JavaScript executes in their browser context, potentially enabling session takeover. This results in high confidentiality and integrity impacts, though no availability impact. Successful exploitation requires user interaction, as the victim must visit the compromised page.
Adobe's security bulletin APSB26-05, available at https://helpx.adobe.com/security/products/magento/apsb26-05.html, provides guidance on mitigation, including recommended patches for the affected versions.
Details
- CWE(s)