VDB

CVE-2026-21290

CVE-2026-21290 PUBLISHED CVSS 8.699999809265137 HIGH

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.

EPSS 0.06% · 18.3th percentile

Risk Scores

CVSS 3.1
8.699999809265137
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score
0.06%
18.3th percentile

Affected Products

VendorProductVersions
adobecommerce_b2b1.3.3, 1.3.4, 1.3.5
adobecommerce2.4.5, 2.4.5, 2.4.5
adobemagento2.4.5, 2.4.7, 2.4.7
AdobeAdobe Commerce0

Timeline

  • Mar 11, 2026 CVE Published
  • Mar 11, 2026 EPSS Score
  • Mar 11, 2026 PoC Published
  • Mar 12, 2026 EPSS Score
  • Mar 13, 2026 EPSS Score
  • Mar 14, 2026 EPSS Score
  • Mar 15, 2026 EPSS Score
  • Mar 16, 2026 EPSS Score
  • Mar 17, 2026 EPSS Score
  • Mar 17, 2026 Security Advisory
  • Mar 17, 2026 Security Advisory
  • Mar 18, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›