{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21331", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-12-12T22:01:18.195Z", "datePublished": "2026-04-14T17:33:48.648Z", "dateUpdated": "2026-04-14T18:33:21.646Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Adobe Connect", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "12.10", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 6.1, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "CHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "CHANGED", "temporalScore": 6.1, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (Reflected XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T17:33:48.648Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/connect/apsb26-37.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T18:33:02.818574Z", "id": "CVE-2026-21331", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:33:21.646Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T18:33:02.818574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:33:05.747Z"}}], "cna": {"title": "Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "modifiedScope": "CHANGED", "temporalScore": 6.1, "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "NONE", "environmentalScore": 6.1, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "LOW", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "LOW", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Adobe Connect", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "12.10"}], "defaultStatus": "affected"}], "datePublic": "2026-04-14T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/connect/apsb26-37.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site Scripting (Reflected XSS) (CWE-79)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T17:33:48.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21331", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:33:21.646Z", "dateReserved": "2025-12-12T22:01:18.195Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-04-14T17:33:48.648Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*", "matchCriteriaId": "4A1D88E9-612C-49B1-8521-F2258D4D74CA", "versionEndExcluding": "12.11", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*", "matchCriteriaId": "185BF6E9-82FC-45E0-A64E-03FB923F34AD", "versionEndIncluding": "2025.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*", "matchCriteriaId": "783AAAA9-E68B-43E3-86A3-5227E27392A5", "versionEndExcluding": "2025.9.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed."}], "id": "CVE-2026-21331", "lastModified": "2026-04-22T19:34:20.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-04-14T18:16:43.953", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/connect/apsb26-37.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,12.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "adobe_connect", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T20:31:41.846150+00:00", "value": {"mitigation_remediation": ["Apply the latest security update for Adobe Connect that addresses CVE\u20112026\u201121331, or upgrade to a version newer than 2025.3/12.10. ", "If an immediate patch is unavailable, disable or restrict access to the affected Web pages until remediation is applied. ", "Instruct users to avoid clicking unfamiliar or suspicious URLs that might trigger the XSS payload."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Adobe Connect versions 2025.3, 12.10 and all earlier releases are affected. No newer versions are listed as impacted, suggesting that patching or upgrading mitigates the issue.", "description_and_impact": "A reflected Cross\u2011Site Scripting vulnerability exists in Adobe Connect that allows an attacker to inject and execute arbitrary JavaScript in the victim\u2019s browser when the victim visits a crafted URL. This flaw can lead to session hijacking, credential theft, or other malicious actions performed with the victim\u2019s privileges. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates a moderate severity. There is no EPSS data available, and the vulnerability is not part of the CISA KEV catalog. Based on the description, the attack vector is inferred to be via a user\u2011directed URL link that exploits reflected input processing. The scope change implies that the attack can affect components beyond the initial context, potentially escalating to broader system compromise."}}}}, "created": "2026-04-15T14:41:09.779705+00:00", "updated": "2026-04-15T14:54:02.929843+00:00", "vendors": ["adobe", "adobe$PRODUCT$adobe_connect"]}