CVE-2026-34617
Published: 14 April 2026
Summary
CVE-2026-34617 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 Flaw Remediation mandates timely patching of vulnerabilities like this XSS issue in Adobe Connect, as detailed in APSB26-37.
SI-10 Information Input Validation directly prevents malicious script injection by validating and rejecting invalid inputs used in web pages.
SI-15 Information Output Filtering neutralizes injected scripts before rendering on web pages, blocking XSS execution and privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vuln in public-facing Adobe Connect enables privilege escalation (T1068) via exploitation of the web app (T1190) and browser session hijacking (T1185) through script injection and victim interaction.
NVD Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access…
more
or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Deeper analysisAI
CVE-2026-34617 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Connect versions 2025.3, 12.10, and earlier. Published on 2026-04-14, it enables privilege escalation and has a CVSS 3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating network accessibility, low attack complexity, low privileges required, user interaction needed, changed scope, high impacts on confidentiality and integrity, and no availability impact.
A low-privileged attacker can exploit this vulnerability by injecting malicious scripts into a web page, which requires victim interaction such as visiting a maliciously crafted URL or engaging with a compromised web page. Successful exploitation could allow the attacker to gain elevated access or control over the victim's account or session.
Adobe's security bulletin APSB26-37, available at https://helpx.adobe.com/security/products/connect/apsb26-37.html, provides details on mitigation and available patches.
Details
- CWE(s)