Stored XSS Vulnerability in Adobe Commerce Products
CVE-2026-21290
8.7HIGH
What is CVE-2026-21290?
Adobe Commerce is vulnerable to a stored Cross-Site Scripting (XSS) issue in versions 2.4.9-alpha3 and earlier, allowing attackers with low privileges to inject harmful scripts into form fields. If exploited, this vulnerability can execute malicious JavaScript in users' browsers when they access affected pages, potentially leading to session hijacking. Successful exploitation requires user interaction, making it essential for users to be cautious when navigating to potentially compromised fields.
Affected Version(s)
Adobe Commerce 0 <= 2.4.4-p16