Description
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier contain an out‑of‑bounds write that can lead to arbitrary code execution within the context of the current user. The vulnerability is triggered when a malicious document is opened, allowing an attacker to control the execution flow of InDesign. Successful exploitation would compromise confidentiality, integrity, and availability of the affected system and could spread malware further if the user shares or propagates the infected file.

Affected Systems

Adobe InDesign Desktop is affected, specifically deployments of versions 21.3, 20.5.3 and all earlier releases. The vulnerability does not extend to other Adobe products or later InDesign versions that have received the official fix.

Risk and Exploitability

The CVSS score of 7.8 denotes a high severity, while the EPSS score is not available, so the exact exploitation likelihood is unknown. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation is reported yet. Attackers must rely on user interaction to open a malicious InDesign file, so the attack vector is user‑initiated local file execution. Nonetheless, the potential for arbitrary code execution poses a significant risk to systems that open or download InDesign documents without adequate control.

Generated by OpenCVE AI on June 9, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe InDesign Desktop to the latest patched release as detailed in Adobe’s security advisory.
  • Restrict the opening of InDesign files to trusted sources and configure file type filtering or whitelisting to block untrusted .indd documents.
  • Conduct user awareness training so that users are cautioned against opening unfamiliar or suspicious InDesign files.

Generated by OpenCVE AI on June 9, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:42:15.103Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34700

cve-icon Vulnrichment

Updated: 2026-06-09T18:42:10.457Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T18:16:41.577

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses