CVE-2026-27243
Published: 14 April 2026
Summary
CVE-2026-27243 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the reflected XSS vulnerability by requiring timely application of vendor patches as specified in Adobe's security bulletin APSB26-37.
Prevents exploitation by validating and sanitizing untrusted inputs from malicious URLs before processing in Adobe Connect web pages.
Filters and encodes reflected content in web outputs to block execution of injected malicious scripts in victims' browsers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing Adobe Connect enables unauthenticated exploitation (T1190: Exploit Public-Facing Application) via malicious URLs that trick victims into executing arbitrary JavaScript (facilitating T1566.002: Spearphishing Link).
NVD Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account…
more
or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Deeper analysisAI
CVE-2026-27243 is a reflected Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. This flaw allows attackers to inject malicious scripts into web pages served by the affected software. The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and high impacts on confidentiality and integrity.
Any unauthenticated attacker can exploit this vulnerability by crafting a malicious URL or compromising a web page that a victim interacts with, such as by clicking a link in phishing emails, social engineering, or malicious advertisements. Successful exploitation requires victim interaction but enables script injection, potentially allowing the attacker to steal session cookies, impersonate the user, or gain elevated access and control over the victim's account or session within Adobe Connect.
Adobe's security bulletin APSB26-37, available at https://helpx.adobe.com/security/products/connect/apsb26-37.html, addresses this vulnerability and provides guidance on mitigation. Security practitioners should consult the advisory for details on available patches and recommended remediation steps for affected Adobe Connect deployments.
Details
- CWE(s)