CVE-2026-27246
Published: 14 April 2026
Summary
CVE-2026-27246 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the DOM-based XSS vulnerability by requiring timely identification, reporting, and correction of the specific flaw through vendor patches as detailed in Adobe's APSB26-37 bulletin.
Prevents script injection by enforcing information input validation at critical points, addressing the improper neutralization of input during dynamic HTML generation in Adobe Connect.
Mitigates DOM-based XSS by filtering or validating information output prior to processing or insertion into web pages, blocking malicious scripts from execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The DOM-based XSS vulnerability in a public-facing web application (Adobe Connect) enables exploitation of public-facing applications (T1190) via crafted webpages, leading to arbitrary JavaScript execution in the victim's browser (T1059.007).
NVD Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account…
more
or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Deeper analysisAI
CVE-2026-27246 is a DOM-based Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. Assigned a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), it involves improper neutralization of input during dynamic HTML generation, allowing script injection. The vulnerability changes scope, indicating potential cross-origin impacts.
An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this issue with low complexity (AC:L) by tricking a victim into visiting a maliciously crafted URL or interacting with a compromised web page (UI:R). Successful exploitation enables injection of malicious scripts into the web page, potentially granting the attacker elevated access or control over the victim's account or session, with high confidentiality and integrity impacts (C:H/I:H) but no availability disruption (A:N).
Adobe's security bulletin APSB26-37, available at https://helpx.adobe.com/security/products/connect/apsb26-37.html, provides details on the vulnerability and recommended mitigations, including patches for affected versions.
Details
- CWE(s)