Cyber Resilience

CVE-2026-27246

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0030 21.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27246 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-27246 is a DOM-based Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. Assigned a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), it involves improper neutralization of input during dynamic HTML generation, allowing script injection. The vulnerability changes scope, indicating potential cross-origin impacts.

An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this issue with low complexity (AC:L) by tricking a victim into visiting a maliciously crafted URL or interacting with a compromised web page (UI:R). Successful exploitation enables injection of malicious scripts into the web page, potentially granting the attacker elevated access or control over the victim's account or session, with high confidentiality and integrity impacts (C:H/I:H) but no availability disruption (A:N).

Adobe's security bulletin APSB26-37, available at https://helpx.adobe.com/security/products/connect/apsb26-37.html, provides details on the vulnerability and recommended mitigations, including patches for affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account…

more

or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The DOM-based XSS vulnerability in a public-facing web application (Adobe Connect) enables exploitation of public-facing applications (T1190) via crafted webpages, leading to arbitrary JavaScript execution in the victim's browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27243Same product: Adobe Connect
CVE-2026-34617Same product: Adobe Connect
CVE-2026-27245Same product: Adobe Connect
CVE-2026-27303Same product: Adobe Connect
CVE-2026-34615Same product: Adobe Connect
CVE-2024-53963Same vendor: Adobe
CVE-2026-27283Same product: Apple Macos
CVE-2026-34636Same product: Apple Macos
CVE-2026-21320Same product: Apple Macos
CVE-2026-21343Same product: Apple Macos

Affected Assets

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the DOM-based XSS vulnerability by requiring timely identification, reporting, and correction of the specific flaw through vendor patches as detailed in Adobe's APSB26-37 bulletin.

prevent

Prevents script injection by enforcing information input validation at critical points, addressing the improper neutralization of input during dynamic HTML generation in Adobe Connect.

prevent

Mitigates DOM-based XSS by filtering or validating information output prior to processing or insertion into web pages, blocking malicious scripts from execution.

References