CVE-2026-21291 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Commerce versions 2.4.4-p16 through 2.4.9-alpha3 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a high-privileged attacker to inject malicious JavaScript code that is stored on the server and executed in the context of other users who visit the affected page. This stored XSS can lead to the theft of session tokens, unauthorized actions performed on behalf of users, or the delivery of further malware payloads. Exploitation requires the attacker to have high privileges within the Adobe Commerce environment, such as an administrator or trusted user, and requires the victim to interact by visiting the compromised page. The vulnerability affects confidentiality and integrity but does not impact availability. The CVSS v3.1 base score is 4.8, reflecting network attack vector, low attack complexity, required high privileges, required user interaction, and a scope change. No public exploits have been reported yet, and Adobe has not released patches at the time of this report. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

The primary impact of CVE-2026-21291 is on the confidentiality and integrity of Adobe Commerce environments. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, credential theft, or unauthorized actions such as modifying orders or customer data. While availability is not directly affected, the compromise of administrative accounts or customer sessions can lead to reputational damage, financial loss, and regulatory consequences for organizations. Given Adobe Commerce's widespread use in global e-commerce, attackers could leverage this vulnerability to target high-value retail and business platforms. The requirement for high privileges limits the initial attack surface but increases the risk if internal accounts are compromised or insider threats exist. The need for user interaction means social engineering or phishing may be used to lure victims to the malicious page. Overall, this vulnerability could facilitate broader attacks within compromised e-commerce infrastructures.

Organizations should immediately audit and restrict administrative privileges within Adobe Commerce to minimize the risk of high-privileged account compromise. Implement strict input validation and output encoding on all form fields to prevent injection of malicious scripts. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Monitor logs and user activity for suspicious behavior indicative of XSS exploitation attempts. Until official patches are released by Adobe, consider applying virtual patching via Web Application Firewalls (WAFs) configured to detect and block typical XSS payloads targeting Adobe Commerce. Educate users, especially administrators, about the risks of clicking untrusted links or visiting suspicious pages. Regularly update Adobe Commerce to the latest patched versions once available. Conduct penetration testing focused on XSS vulnerabilities to identify and remediate similar issues proactively.