Cyber Resilience

CVE-2026-34617

High

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0031 22.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34617 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-34617 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. Published on 2026-04-14, it enables privilege escalation and has a CVSS 3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating network accessibility, low attack complexity, low privileges required, user interaction needed, changed scope, high impacts on confidentiality and integrity, and no availability impact.

A low-privileged attacker can exploit this vulnerability by injecting malicious scripts into a web page, which requires victim interaction such as visiting a maliciously crafted URL or engaging with a compromised web page. Successful exploitation could allow the attacker to gain elevated access or control over the victim's account or session.

Adobe's security bulletin APSB26-37, available at https://helpx.adobe.com/security/products/connect/apsb26-37.html, provides details on mitigation and available patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access…

more

or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS vuln in public-facing Adobe Connect enables privilege escalation (T1068) via exploitation of the web app (T1190) and browser session hijacking (T1185) through script injection and victim interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27245Same product: Adobe Connect
CVE-2026-27246Same product: Adobe Connect
CVE-2026-27243Same product: Adobe Connect
CVE-2026-27303Same product: Adobe Connect
CVE-2026-34615Same product: Adobe Connect
CVE-2026-27283Same product: Apple Macos
CVE-2026-34636Same product: Apple Macos
CVE-2026-21320Same product: Apple Macos
CVE-2026-21343Same product: Apple Macos
CVE-2026-21318Same product: Apple Macos

Affected Assets

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 Flaw Remediation mandates timely patching of vulnerabilities like this XSS issue in Adobe Connect, as detailed in APSB26-37.

prevent

SI-10 Information Input Validation directly prevents malicious script injection by validating and rejecting invalid inputs used in web pages.

prevent

SI-15 Information Output Filtering neutralizes injected scripts before rendering on web pages, blocking XSS execution and privilege escalation.

References