CVE-2026-21290: Adobe Commerce B2B XSS Vulnerability

CVE-2026-21290 Overview

CVE-2026-21290 is a stored Cross-Site Scripting (XSS) vulnerability affecting multiple versions of Adobe Commerce, Adobe Commerce B2B, and Adobe Magento Open Source. This vulnerability allows a low-privileged attacker to inject malicious JavaScript into vulnerable form fields, which is then persistently stored and executed when other users browse to the affected page. Successful exploitation can lead to session takeover, compromising both confidentiality and integrity of user sessions.

Critical Impact

A low-privileged attacker can achieve session takeover by injecting malicious scripts into vulnerable form fields, potentially compromising administrator accounts and sensitive e-commerce data.

Affected Products

• Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier
• Adobe Commerce B2B versions 1.5.3-alpha3, 1.5.2-p3, 1.4.2-p8, 1.3.5-p13, 1.3.4-p15, 1.3.3-p16 and earlier
• Adobe Magento Open Source versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15 and earlier

Discovery Timeline

• 2026-03-11 - CVE-2026-21290 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-21290

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) exists in form fields within Adobe Commerce and related platforms. Unlike reflected XSS attacks that require victims to click malicious links, stored XSS payloads are permanently saved on the target server and automatically execute when users access the affected pages. The attack can be initiated over the network and requires only low-level privileges to exploit, though user interaction is necessary as victims must navigate to the page containing the injected payload.

The vulnerability's ability to facilitate session takeover is particularly concerning for e-commerce platforms, where administrative sessions control sensitive customer data, payment information, and order management systems. Once an attacker captures an administrative session, they can perform unauthorized actions including accessing customer records, modifying pricing, or injecting additional malicious content.

Root Cause

The root cause of CVE-2026-21290 is insufficient input validation and output encoding in form field handling within Adobe Commerce. When user-supplied input is stored in the database and later rendered in HTML pages without proper sanitization, malicious JavaScript code can execute in the context of other users' browsers. The affected form fields fail to implement adequate security controls such as Content Security Policy (CSP) enforcement, HTML entity encoding, or input filtering that would prevent script injection.

Attack Vector

The attack vector for this vulnerability involves a low-privileged user submitting crafted input containing malicious JavaScript to vulnerable form fields within the Adobe Commerce administrative or customer-facing interface. The payload is stored in the application's database. When administrators or other users subsequently view pages that display the stored content, the malicious script executes in their browser context.

The attacker can leverage this to steal session cookies, redirect users to phishing pages, modify page content, or perform actions on behalf of the victim user. Given that this targets an e-commerce platform, attackers could potentially access payment processing functions, customer personal information, or inject code to capture credit card details entered by customers.

Detection Methods for CVE-2026-21290

Indicators of Compromise

• Unexpected JavaScript code or <script> tags appearing in database fields that store form input data
• Unusual session activity from administrative accounts, including logins from unexpected IP addresses or geographic locations
• Browser console errors or security warnings when accessing Adobe Commerce admin pages
• User reports of unexpected redirects or pop-ups when browsing the store

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block XSS payloads in HTTP requests targeting Adobe Commerce form endpoints
• Enable and monitor Content Security Policy (CSP) violation reports to identify attempted script injections
• Conduct regular database audits to identify stored content containing potentially malicious script patterns
• Deploy browser-based security monitoring to detect DOM manipulation and unauthorized script execution

Monitoring Recommendations

• Configure logging for all form submissions to administrative and customer-facing areas, with alerting on submissions containing HTML or JavaScript patterns
• Monitor for abnormal patterns in session cookie usage, such as session tokens being used from multiple IP addresses simultaneously
• Implement real-time monitoring of outbound network requests from client browsers to detect data exfiltration attempts
• Review access logs for the specific form endpoints and flag requests with encoded script payloads

How to Mitigate CVE-2026-21290

Immediate Actions Required

• Apply the latest security patches from Adobe as outlined in security bulletin APSB26-05
• Review and restrict privileges of user accounts that have access to form input fields in the administrative interface
• Implement additional input validation at the application layer while awaiting patch deployment
• Audit recent form submissions for evidence of XSS payload injection attempts

Patch Information

Adobe has released security updates to address this vulnerability. Organizations running affected versions should upgrade to the latest patched versions immediately. Detailed patch information and download links are available in the Adobe Security Advisory APSB26-05. The following versions contain the fix:

• Adobe Commerce: Upgrade to versions newer than 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, or 2.4.4-p16 depending on your release branch
• Adobe Commerce B2B: Upgrade to versions newer than 1.5.3-alpha3, 1.5.2-p3, 1.4.2-p8, 1.3.5-p13, 1.3.4-p15, or 1.3.3-p16
• Adobe Magento Open Source: Upgrade to versions newer than 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, or 2.4.5-p15

Workarounds

• Deploy a Web Application Firewall (WAF) with rules specifically configured to detect and block XSS patterns targeting Adobe Commerce form endpoints
• Implement strict Content Security Policy (CSP) headers that prevent inline script execution and restrict script sources to trusted domains
• Limit administrative access to known IP addresses or VPN connections to reduce the attack surface for session hijacking
• Disable or restrict access to non-essential form fields until patches can be applied

# Example CSP header configuration for Apache (.htaccess)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"