Description
Illustrator versions 29.8.4, 30.1 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Illustrator versions 29.8.4, 30.1 and earlier are affected by an Untrusted Search Path vulnerability that allows an attacker to execute arbitrary code in the context of the current user. The flaw stems from the application searching for helper executables in directories that an attacker can control, enabling code injection if a malicious file is opened. The impact is full compromise of the user’s system and any data the user can access.

Affected Systems

Adobe Illustrator, versions 29.8.4, 30.1 and all earlier releases, running on Windows operating systems. The vulnerability is tied to the Windows search path resolution and therefore applies to any installation on that platform where the specified versions are present.

Risk and Exploitability

This weakness receives a high severity CVSS score of 8.6, indicating significant risk. However, its EPSS score is below 1 % and it is not listed in the CISA Known Exploited Vulnerabilities catalog, reflecting a low probability of current real-world exploitation. The attack requires user interaction – the victim must open a specially crafted Illustrator file – which reduces the likelihood that malware will propagate autonomously. Nonetheless, because successful exploitation results in arbitrary code execution under the victim’s account, the potential damage is substantial.

Generated by OpenCVE AI on April 16, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Illustrator to the latest available version or apply Adobe’s security update for this vulnerability.
  • Avoid opening unknown or untrusted Illustrator files from sources that are not verified.
  • If an upgrade is not immediately possible, employ endpoint protection that blocks execution of unknown binaries or monitor for abnormal process creation from Illustrator.

Generated by OpenCVE AI on April 16, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:illustrator:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 11 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe illustrator
Vendors & Products Adobe
Adobe illustrator

Tue, 10 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description Illustrator versions 29.8.4, 30.1 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Illustrator | Untrusted Search Path (CWE-426)
Weaknesses CWE-426
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Illustrator
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:08:15.203Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21333

cve-icon Vulnrichment

Updated: 2026-03-11T13:01:54.468Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T23:16:43.400

Modified: 2026-03-11T17:05:54.213

Link: CVE-2026-21333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses