{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27245", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-02-18T22:02:41.383Z", "datePublished": "2026-04-14T17:33:46.104Z", "dateUpdated": "2026-04-14T19:27:37.316Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Adobe Connect", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "12.10", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 9.3, "environmentalSeverity": "CRITICAL", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "CHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "CHANGED", "temporalScore": 9.3, "temporalSeverity": "CRITICAL", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (Reflected XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T17:33:46.104Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/connect/apsb26-37.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27245", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T19:05:30.090636Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:27:37.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27245", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T19:05:30.090636Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:23:01.736Z"}}], "cna": {"title": "Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "modifiedScope": "CHANGED", "temporalScore": 9.3, "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "CRITICAL", "availabilityImpact": "NONE", "environmentalScore": 9.3, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "HIGH", "environmentalSeverity": "CRITICAL", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "HIGH", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Adobe Connect", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "12.10"}], "defaultStatus": "affected"}], "datePublic": "2026-04-14T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/connect/apsb26-37.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site Scripting (Reflected XSS) (CWE-79)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T17:33:46.104Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27245", "state": "PUBLISHED", "dateUpdated": "2026-04-14T19:27:37.316Z", "dateReserved": "2026-02-18T22:02:41.383Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-04-14T17:33:46.104Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed."}], "id": "CVE-2026-27245", "lastModified": "2026-04-15T16:14:07.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-04-14T18:16:55.890", "references": [{"source": "psirt@adobe.com", "url": "https://helpx.adobe.com/security/products/connect/apsb26-37.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "adobe_connect", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T20:32:56.992406+00:00", "value": {"mitigation_remediation": ["Apply the latest Adobe Connect patch or upgrade to a supported version that includes the fix", "Verify the version of your installation against the Adobe Connect release notes", "If urgent patching is not possible, restrict external access to the Connect web interface or use network controls to limit exposure to untrusted traffic"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (Reflected) that can execute arbitrary JavaScript in a victim\u2019s browser"}, "threat_synthesis": {"affected_systems": "Adobe Connect deployments running version 2025.3, 12.10 or any earlier release are affected. The issue applies to all installations of Adobe Connect that have not been updated beyond these versions.", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting flaw that allows an attacker to embed malicious JavaScript in a web page that a victim visits. When a victim clicks a crafted URL, the script runs with the privileges of the user\u2019s browser session, potentially enabling information theft, session hijack, or defacement. The severity assessment notes a change of scope in the CVSS calculation, indicating that an attacker could gain privileges beyond the original context.", "risk_and_exploitability": "The CVSS score is 9.3, indicating high severity. No EPSS score is available, but the lack of mitigation in the public notes suggests the exploit is likely to be attempted once disclosed. The attack vector is remote user\u2011initiated via a malicious link, requiring only that a victim visit the vulnerable page. Because the flaw is reflected and does not require authentication or privileged access, the exposure to a large user base is substantial."}}}}, "created": "2026-04-15T14:41:09.780567+00:00", "updated": "2026-04-15T14:54:06.336099+00:00", "vendors": ["adobe", "adobe$PRODUCT$adobe_connect"]}