Skip to main content

Adobe CVE-2026-34617

| EUVDEUVD-2026-22673 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 adobe GHSA-2xf6-9qjq-vwwm
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 19:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:39 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 18:01 euvd
EUVD-2026-22673
Analysis Generated
Apr 14, 2026 - 18:01 vuln.today
CVE Published
Apr 14, 2026 - 17:33 nvd
HIGH 8.7

DescriptionCVE.org

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

AnalysisAI

Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible.

Technical ContextAI

This vulnerability manifests in Adobe Connect's web conferencing platform (CPE: cpe:2.3:a:adobe:adobe_connect), stemming from CWE-79 (Improper Neutralization of Input During Web Page Generation). XSS flaws occur when user-supplied data is reflected in HTML responses without adequate sanitization or encoding. In this case, the changed scope indicator (S:C in CVSS vector) suggests the injected scripts can breach the trust boundary between Adobe Connect and other components, potentially accessing session tokens, cookies, or resources in connected Adobe services. The PR:L (low privileges required) designation indicates authenticated users with minimal permissions can craft the attack payload, likely targeting higher-privileged administrators or meeting hosts who interact with shared content, URLs, or collaborative features within the platform.

RemediationAI

Adobe has released security bulletin APSB26-37 addressing this vulnerability. Organizations must immediately apply the vendor-provided patch by upgrading to the version specified in the advisory at https://helpx.adobe.com/security/products/connect/apsb26-37.html (exact patched version number not provided in available data; consult bulletin directly). As an interim control while planning upgrades, implement strict Content Security Policy (CSP) headers to mitigate XSS injection effectiveness, restrict low-privileged user capabilities to share URLs or embed content in meeting rooms, and educate users to avoid clicking unverified links within Adobe Connect sessions. Monitor authentication logs for unusual privilege escalation patterns or session hijacking indicators. Prioritize patching for internet-facing deployments and environments where untrusted low-privileged users can interact with high-privilege accounts.

More in Adobe

View all
CVE-2015-5119 CRITICAL POC
9.8 Jul 08

Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr

CVE-2016-4117 CRITICAL POC
9.8 May 11

Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a

CVE-2015-3113 CRITICAL POC
9.8 Jun 23

Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J

CVE-2011-2462 CRITICAL POC
9.8 Dec 07

Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote

CVE-2011-0611 HIGH POC
8.8 Apr 13

Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar

CVE-2009-0927 HIGH POC
8.8 Mar 19

Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj

CVE-2014-0497 CRITICAL POC
9.8 Feb 05

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Ma

CVE-2009-4324 HIGH POC
7.8 Dec 15

Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac

CVE-2015-0313 CRITICAL POC
9.8 Feb 02

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows

CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2015-0311 CRITICAL POC
9.8 Jan 23

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Window

CVE-2013-0632 CRITICAL POC
9.8 Jan 17

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and pos

Share

CVE-2026-34617 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy