CVE-2026-21361 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. The vulnerability allows a high-privileged attacker to inject malicious JavaScript code into form fields that are stored and later rendered in the web application without proper sanitization or encoding. When a victim user visits a page containing the injected script, the malicious code executes in their browser context, potentially allowing session hijacking, unauthorized actions, or data theft. The attack vector is network-based with low complexity, requiring no special conditions beyond user interaction (the victim must visit the compromised page). The vulnerability impacts confidentiality and integrity at a high level but does not affect availability. The scope is considered changed (S:C) because the vulnerability can affect users beyond the attacker. Although no public exploits are currently known, the high severity and ease of exploitation make this a critical concern for organizations running affected Adobe Commerce versions. The lack of available patches at the time of disclosure increases the urgency for mitigation.

The impact of CVE-2026-21361 is significant for organizations using Adobe Commerce, a widely deployed e-commerce platform. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including administrators, thereby compromising sensitive customer data, order information, and administrative controls. This undermines the confidentiality and integrity of the affected systems and data. Attackers could also use the vulnerability to conduct further attacks such as privilege escalation or data manipulation. The requirement for user interaction limits automated exploitation but does not prevent targeted attacks, especially in environments with high user traffic. The vulnerability could damage customer trust, lead to financial losses, and cause regulatory compliance issues due to data breaches. Given Adobe Commerce’s global usage, the threat has broad implications for online retailers and service providers worldwide.

To mitigate CVE-2026-21361, organizations should immediately upgrade to the latest patched versions of Adobe Commerce once available. Until patches are released, implement strict input validation and output encoding on all user-supplied data, especially in form fields that are stored and rendered. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize existing stored data to remove malicious scripts. Limit high-privileged user access to trusted personnel and monitor for unusual activities that may indicate exploitation attempts. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads. Educate users about the risks of clicking suspicious links and visiting untrusted pages. Finally, maintain comprehensive logging and incident response plans to quickly detect and respond to potential attacks.