CVE-2026-21290 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server. When a victim user accesses the affected page containing the injected script, the malicious code executes in their browser context. This can lead to session hijacking, enabling attackers to impersonate victims, steal sensitive information, or perform unauthorized actions within the application. The vulnerability requires user interaction, as the victim must visit the compromised page for the attack to succeed. The CVSS 3.1 base score is 8.7, indicating high severity, with attack vector being network-based, low attack complexity, requiring low privileges, and user interaction. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. No public exploits have been reported yet, but the potential impact on confidentiality and integrity is significant. Adobe Commerce is a widely used e-commerce platform, making this vulnerability critical for organizations relying on it for online retail operations.

The impact of CVE-2026-21290 is substantial for organizations using Adobe Commerce, as successful exploitation can lead to session hijacking and unauthorized access to user accounts, including administrative accounts if targeted. This compromises the confidentiality and integrity of sensitive customer and business data, potentially resulting in data breaches, financial fraud, and reputational damage. Attackers could manipulate transactions, steal personal information, or escalate privileges within the platform. The requirement for user interaction limits automated exploitation but does not significantly reduce risk given the common nature of browsing e-commerce sites. The vulnerability can affect the availability indirectly by undermining trust in the platform and causing operational disruptions during incident response. Given Adobe Commerce's global usage in retail, the threat extends to a wide range of industries and geographies, increasing the potential for widespread impact.

Organizations should immediately assess their Adobe Commerce installations to identify affected versions and prioritize upgrading to patched versions once available. In the absence of patches, implement strict input validation and output encoding on all user-supplied data in form fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Use web application firewalls (WAFs) configured to detect and block XSS payloads targeting known vulnerable endpoints. Educate users and administrators about the risk of clicking untrusted links and encourage the use of multi-factor authentication to reduce the impact of session hijacking. Regularly audit and monitor logs for suspicious activities indicative of XSS exploitation attempts. Additionally, limit user privileges to the minimum necessary to reduce the attack surface for low-privileged attackers.