Description
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-04-11
Score: 8.6 High
EPSS: 9.6% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Acrobat Reader is vulnerable to a prototype pollution flaw that can allow a malicious PDF to modify JavaScript object prototypes. This flaw is described as CWE‑1321 and can be exploited to execute arbitrary code in the context of the current user when a PDF file is opened.

Affected Systems

Versions of Acrobat Reader before 24.001.30356 and 26.001.21367 are affected, including both classic and continuous build series. The flaw applies to installations running on the major operating systems supported by Acrobat Reader such as Windows and macOS.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the EPSS score of 0.09589% indicates a very low probability of widespread exploitation. The flaw is listed in the CISA KEV catalog, indicating that known exploits have been observed in the wild. Exploitation requires a user to open a specially crafted PDF file, making it a user‑interaction attack.

Generated by OpenCVE AI on May 2, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest released version of Adobe Acrobat Reader or apply the vendor’s patch illustrated in the Adobe Accessed Product Security Bulletin for this CVE.
  • Configure Acrobat Reader to block or warn about opening PDF files from unknown or untrusted sources.
  • Disable JavaScript execution within PDFs if the user does not require it, or restrict script execution to a sandboxed environment.

Generated by OpenCVE AI on May 2, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe acrobat
Adobe acrobat Dc
Adobe acrobat Reader Dc
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*
cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*
cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe acrobat
Adobe acrobat Dc
Adobe acrobat Reader Dc
Apple
Apple macos
Microsoft
Microsoft windows

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-04-13T00:00:00+00:00', 'dueDate': '2026-04-27T00:00:00+00:00'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe acrobat Reader
Vendors & Products Adobe
Adobe acrobat Reader

Sun, 12 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Sat, 11 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 11 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Acrobat Acrobat Dc Acrobat Reader Acrobat Reader Dc
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T03:55:27.955Z

Reserved: 2026-03-30T17:30:36.490Z

Link: CVE-2026-34621

cve-icon Vulnrichment

Updated: 2026-04-11T17:06:37.524Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T07:16:03.633

Modified: 2026-04-13T21:23:27.000

Link: CVE-2026-34621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T15:45:45Z

Weaknesses