CVE-2026-21281 - Vulnerability Details

- InCopy | Heap-based Buffer Overflow (CWE-122)

Description

InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-01-13

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can exploit a heap-based buffer overflow in Adobe InCopy versions 21.0, 19.5.5 and earlier by delivering a specially crafted file. When a victim opens this file, the vulnerable code can overwrite memory and execute arbitrary code with the privileges of the current user. The weakness arises from improper bounds checking while parsing document data, classifying it under CWE‑122 and CWE‑787. Successful exploitation can compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

Affected installations include any Adobe InCopy deployment running the affected releases, regardless of operating system. The vulnerable versions are 21.0, 19.5.5 and all previous releases. As the products operate on Windows and macOS platforms, any user running those environments is at risk if an older version is in use.

Risk and Exploitability

The CVSS v3 score of 7.8 indicates a high severity. The EPSS score of less than 1% indicates that the likelihood of exploitation in the wild is currently very low, and Adobe is not listed in the CISA KEV catalog. Nevertheless, the vulnerability requires user interaction—a malicious file must be opened—so the threat surface is limited to environments where users have the ability to access or download files from untrusted sources.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

InCopy

affected

Version	Status	Constraints
`0`	affected	≤ 19.5.5

Configuration 1 [-]

AND

OR	cpe:2.3:a:adobe:incopy::::::::
	cpe:2.3:a:adobe:incopy:21.0:::::::*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor	Product	Confidence	Versions
Adobe	Incopy	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Download and install the security update for Adobe InCopy supplied in Adobe's 2026 AP Security Advisory 26‑04.
Upgrade to a version that is not impacted, such as InCopy 21.1 or later, or any release released after the advisory.
Implement file‑type restrictions or endpoint protection that prevents users from opening unknown or untrusted documents.

Generated by OpenCVE AI on April 18, 2026 at 06:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/incopy/apsb26-04.html

History

Wed, 14 Jan 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Microsoft Microsoft windows
Weaknesses		CWE-787
CPEs		cpe:2.3:a:adobe:incopy:::::::: cpe:2.3:a:adobe:incopy:21.0:::::::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Microsoft Microsoft windows

Wed, 14 Jan 2026 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe incopy
Vendors & Products		Adobe Adobe incopy

Tue, 13 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		InCopy \| Heap-based Buffer Overflow (CWE-122)
Weaknesses		CWE-122
References		https://helpx.adobe.com/security/products/incopy/apsb26-04.html
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Adobe Incopy

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-01-13T18:45:30.580Z

Updated: 2026-02-26T15:04:14.608Z

Reserved: 2025-12-12T22:01:18.188Z

Link: CVE-2026-21281

Vulnrichment

Updated: 2026-01-13T18:58:55.224Z

NVD

Status : Analyzed

Published: 2026-01-13T19:16:25.857

Modified: 2026-01-14T19:28:33.957

Link: CVE-2026-21281

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object