Description
InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-04-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

An out‑of‑bounds write in Adobe InCopy allows an attacker to achieve arbitrary code execution in the context of the current user. The flaw arises when a malicious file is opened, leading the application to write data beyond the bounds of a buffer and corrupt memory. This results in loss of confidentiality, integrity, and availability for the user who opens the file. The weakness is classified as CWE‑787.

Affected Systems

Adobe InCopy versions 20.5.2, 21.2, and all earlier releases are vulnerable. Users running these versions on any platform are at risk if they open files created by an attacker or that have been tampered with.

Risk and Exploitability

The vulnerability carries a high CVSS score of 7.8, indicating significant potential impact. Exploit probability is not quantified by EPSS, but the requirement of user interaction to open a malicious file limits the attack surface to situations where phishing or social engineering can be employed. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, and no public exploit has been reported, suggesting moderate likelihood of exploitation in the near term. Nonetheless, the high severity warrants immediate attention.

Generated by OpenCVE AI on April 14, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe security patch for InCopy released in the 2026 security advisory
  • Upgrade to the latest version of InCopy, which includes the fix
  • Educate users to avoid opening files from untrusted sources

Generated by OpenCVE AI on April 14, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:incopy:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe incopy
Vendors & Products Adobe
Adobe incopy

Tue, 14 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InCopy | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Incopy
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-15T17:37:21.917Z

Reserved: 2026-03-30T17:30:36.491Z

Link: CVE-2026-34631

cve-icon Vulnrichment

Updated: 2026-04-15T17:37:13.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T22:16:31.837

Modified: 2026-04-15T19:33:14.547

Link: CVE-2026-34631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses