Cyber Resilience

CVE-2026-27245

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0030 21.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27245 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-27245 is a reflected Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. Assigned a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), it enables attackers to inject malicious scripts into web pages served by the affected software. The vulnerability was published on 2026-04-14 and involves a changed scope, indicating potential cross-origin effects.

Attackers with network access can exploit this issue without privileges by crafting malicious URLs or compromising web pages that trick victims into interacting with them, such as clicking links or visiting sites. Successful exploitation requires user interaction but allows injected scripts to execute in the victim's browser context, potentially granting attackers elevated access or control over the victim's Adobe Connect account or session, with high impacts on confidentiality and integrity.

For mitigation details, refer to Adobe's security bulletin at https://helpx.adobe.com/security/products/connect/apsb26-37.html, which provides guidance on patches and remediation for affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account…

more

or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS in public-facing Adobe Connect directly enables exploitation of public-facing applications (T1190), stealing web session cookies (T1539), and browser session hijacking (T1185) via arbitrary JavaScript execution in victim browsers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34617Same product: Adobe Connect
CVE-2026-27246Same product: Adobe Connect
CVE-2026-27243Same product: Adobe Connect
CVE-2026-27303Same product: Adobe Connect
CVE-2026-34615Same product: Adobe Connect
CVE-2026-21290Same vendor: Adobe
CVE-2026-27283Same product: Apple Macos
CVE-2026-34636Same product: Apple Macos
CVE-2026-21320Same product: Apple Macos
CVE-2026-21343Same product: Apple Macos

Affected Assets

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the reflected XSS flaw in Adobe Connect by requiring timely application of vendor patches as specified in the security bulletin.

prevent

Filters information output from web pages to block execution of injected malicious scripts in the victim's browser context.

prevent

Validates untrusted inputs from malicious URLs to prevent injection of script payloads into Adobe Connect web responses.

References