CVE-2026-21311
Published: 11 March 2026
Summary
CVE-2026-21311 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Commerce. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates all inputs to vulnerable form fields to block injection of malicious JavaScript by high-privileged attackers.
Filters and encodes outputs from vulnerable form fields to prevent execution of stored malicious scripts in victims' browsers.
Remediates the specific stored XSS flaw through timely patching of affected Adobe Commerce versions as per the vendor advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser script execution leading to session hijacking/takeover as described.
NVD Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…
more
executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Deeper analysisAI
CVE-2026-21311 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. The flaw enables a high-privileged attacker to inject malicious scripts into vulnerable form fields, with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N).
A high-privileged attacker can exploit this vulnerability by injecting malicious JavaScript into affected form fields. When a victim browses to the page containing the injected content, the script executes in their browser, potentially enabling session takeover and resulting in high confidentiality and integrity impacts. Exploitation requires user interaction, as the victim must visit the compromised page.
Adobe's security advisory provides details on mitigation, available at https://helpx.adobe.com/security/products/magento/apsb26-05.html.
Details
- CWE(s)