Home / Vulnerability Intelligence / CVE-2026-21290

CVE-2026-21290 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 11, 2026

Adobe Commerce - Stored XSS

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

Adobe Commerce <= 2.4.9-alpha3 contains a stored XSS caused by improper sanitization of form fields, letting low-privileged attackers inject malicious scripts, exploit requires victim to browse vulnerable page.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 4.2%(Probability of exploitation in next 30 days)

Impact

Attackers can execute malicious scripts in victim browsers, leading to session takeover and high confidentiality and integrity impact.

Mitigation

Update to the latest available version beyond 2.4.9-alpha3.

References

https://helpx.adobe.com/security/products/magento/apsb26-05.html

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🟠 CVE-2026-21290 - High (8.7) Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts i... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21290/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-21290
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: confirmed
EPSS: 4.2%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

4.2%Probability of exploitation in the next 30 days