CVE-2026-21290

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.9-alpha3 and earlier

Description The software is susceptible to a stored Cross-Site Scripting (XSS) issue. A low-privileged attacker could inject malicious scripts into vulnerable form fields. Execution of malicious JavaScript may occur in a victim’s browser when they access the page containing the vulnerable field. A successful attack could lead to session takeover, impacting confidentiality and integrity. Exploitation requires user interaction, specifically a victim browsing to the page with the vulnerable field.

Recommendations Update Adobe Commerce to a version later than 2.4.9-alpha3.