CVE-2026-27246 is a DOM-based Cross-Site Scripting (CWE-79) vulnerability affecting Adobe Connect versions 2025.3, 12.10, and earlier. The issue arises from insufficient sanitization or validation of data that influences the DOM, enabling attackers to execute arbitrary JavaScript code within the victim's browser session. This can lead to a change in scope, allowing an attacker to compromise confidentiality and integrity of user data. Exploitation requires the victim to interact by visiting a maliciously crafted webpage. The vulnerability is rated critical with a CVSS 3.1 score of 9.3, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, changed scope, and high impact on confidentiality and integrity. No official fix or patch has been announced, and Adobe Connect is not a cloud service, so remediation depends on vendor updates.

Successful exploitation of this DOM-based XSS vulnerability could allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to theft or manipulation of sensitive information accessible in the browser session. The vulnerability impacts confidentiality and integrity but does not affect availability. The critical CVSS score (9.3) indicates a high risk if exploited. However, exploitation requires user interaction (visiting a crafted webpage). There are no known active exploits in the wild currently.

Patch status is not yet confirmed — check the Adobe advisory for current remediation guidance. Since Adobe Connect is not a cloud service, remediation depends on Adobe releasing and users applying an official fix. Until a patch is available, users should exercise caution when interacting with untrusted webpages and consider applying any recommended workarounds from Adobe once published. Monitor Adobe's security advisories for updates on patches or mitigations.