CVE-2026-21361 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. The vulnerability allows a high-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the Adobe Commerce platform. When a victim user visits a page containing the injected script, the malicious code executes in their browser context. This can lead to session hijacking, allowing attackers to impersonate users, access sensitive data, or perform unauthorized actions, thus compromising confidentiality and integrity. The attack requires user interaction, meaning the victim must navigate to the affected page for exploitation to succeed. The CVSS v3.1 base score is 8.1, reflecting high severity with network attack vector, low attack complexity, high privileges required, user interaction needed, and scope changed. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the widespread use of Adobe Commerce in e-commerce environments. The lack of available patches at the time of reporting necessitates immediate attention to mitigation strategies.

The impact of CVE-2026-21361 is substantial for organizations using Adobe Commerce, particularly those running affected versions. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including administrators or customers, potentially leading to unauthorized access to sensitive data such as personal information, payment details, and order histories. This compromises confidentiality and integrity of data and can damage organizational reputation and customer trust. Additionally, attackers could manipulate site content or perform fraudulent transactions. The requirement for high privileges to inject the malicious script limits initial access vectors but does not eliminate risk, especially in environments with multiple administrators or compromised accounts. The necessity of user interaction means social engineering or phishing may be used to lure victims to the malicious page. Given Adobe Commerce’s global adoption in retail and e-commerce sectors, the threat can affect organizations worldwide, potentially disrupting business operations and causing financial losses.

1. Apply official patches from Adobe as soon as they become available to address the vulnerability directly. 2. Implement strict input validation and output encoding on all form fields to prevent injection of malicious scripts. 3. Restrict administrative privileges to the minimum necessary and monitor for unusual activities to reduce the risk of high-privileged account compromise. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and penetration testing focused on XSS vulnerabilities within the Adobe Commerce environment. 6. Educate users and administrators about phishing and social engineering tactics to reduce the likelihood of victims visiting malicious pages. 7. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Adobe Commerce. 8. Monitor logs for suspicious input patterns or repeated access to vulnerable pages to detect exploitation attempts early.