PatchSiren cyber security CVE debrief
CVE-2026-34655 Adobe CVE debrief
CVE-2026-34655 is a stored cross-site scripting issue in Adobe Commerce that can let a high-privileged attacker plant malicious JavaScript in vulnerable form fields. When a victim later opens the affected page, the script can run in their browser. The CVSS vector shows network reachability, low attack complexity, high privileges required, user interaction required, and changed scope.
- Vendor
- Adobe
- Product
- Commerce
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-20
Who should care
Adobe Commerce administrators, security teams, and operators who manage high-privilege admin accounts or workflows that let trusted users enter content into form fields. Teams running affected Commerce or Commerce B2B releases should treat this as a real admin-side exposure, especially where multiple privileged users review the same records.
Technical summary
NVD classifies the flaw as CWE-79 stored XSS with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The supplied description says malicious scripts can be injected into vulnerable form fields and executed when a victim browses to the page containing that field. Because scope is changed, code running in the browser can affect a different trust boundary than the attacker’s original session.
Defensive priority
Medium. This is not a no-click internet worm-style issue, but it can still expose privileged admin sessions and sensitive back-office data. Prioritize remediation in your normal patch cycle, and accelerate it if multiple staff members review or edit the affected records.
Recommended defensive actions
- Apply Adobe’s remediation from APSB26-49 and move affected instances to a fixed release as soon as practical.
- Review which users have high-privilege access to Commerce admin workflows; remove unnecessary editing rights and enforce least privilege.
- Audit custom modules and extensions that accept, store, or render HTML in admin form fields, since stored XSS often reappears in local customizations.
- Check for unexpected script-like content or unescaped markup in the affected records and clean up any suspicious entries.
- Confirm MFA and session protections are enabled for privileged Commerce accounts, since exploitation requires a privileged user and a victim interaction.
Evidence notes
Based on the official NVD record for CVE-2026-34655, which is marked Analyzed and references the Adobe PSIRT advisory APSB26-49. The supplied record lists publication time 2026-05-12T20:16:36.607Z and modification time 2026-05-20T15:59:10.687Z. NVD’s CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, and the weakness is identified as CWE-79.
Official resources
-
CVE-2026-34655 CVE record
CVE.org
-
CVE-2026-34655 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the CVE/NVD record on 2026-05-12, with an NVD modification on 2026-05-20. No CISA KEV entry was supplied in the corpus.