Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
AnalysisAI
Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible.
Technical ContextAI
This vulnerability manifests in Adobe Connect's web conferencing platform (CPE: cpe:2.3:a:adobe:adobe_connect), stemming from CWE-79 (Improper Neutralization of Input During Web Page Generation). XSS flaws occur when user-supplied data is reflected in HTML responses without adequate sanitization or encoding. In this case, the changed scope indicator (S:C in CVSS vector) suggests the injected scripts can breach the trust boundary between Adobe Connect and other components, potentially accessing session tokens, cookies, or resources in connected Adobe services. The PR:L (low privileges required) designation indicates authenticated users with minimal permissions can craft the attack payload, likely targeting higher-privileged administrators or meeting hosts who interact with shared content, URLs, or collaborative features within the platform.
RemediationAI
Adobe has released security bulletin APSB26-37 addressing this vulnerability. Organizations must immediately apply the vendor-provided patch by upgrading to the version specified in the advisory at https://helpx.adobe.com/security/products/connect/apsb26-37.html (exact patched version number not provided in available data; consult bulletin directly). As an interim control while planning upgrades, implement strict Content Security Policy (CSP) headers to mitigate XSS injection effectiveness, restrict low-privileged user capabilities to share URLs or embed content in meeting rooms, and educate users to avoid clicking unverified links within Adobe Connect sessions. Monitor authentication logs for unusual privilege escalation patterns or session hijacking indicators. Prioritize patching for internet-facing deployments and environments where untrusted low-privileged users can interact with high-privilege accounts.
Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr
Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a
Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J
Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote
Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar
Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Ma
Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Window
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and pos
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22673
GHSA-2xf6-9qjq-vwwm