Description
InCopy versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe InCopy versions 21.3, 20.5.3 and earlier contain an out‑of‑bounds write flaw that can lead to arbitrary code execution in the context of the current user. The vulnerability is triggered when a maliciously crafted file is opened within the application, allowing an attacker to overwrite adjacent memory and execute injected code. The primary impact is the execution of arbitrary code with the permissions of the user who opens the file, potentially compromising the machine or the network.

Affected Systems

The affected product is Adobe InCopy. Versions 21.3, 20.5.3 and all earlier releases of the software are vulnerable. The issue does not affect other Adobe products or later builds beyond the stated version thresholds.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity. The vulnerability is not listed in CISA’s KEV catalog. Because the exploitation requires the victim to open a malicious file, the attack vector is user interaction, making it more likely to be successful in environments where users routinely process untrusted documents. The combination of high CVSS, the requirement for user action, and the potential for arbitrary code execution indicates a moderate to high risk for affected installations.

Generated by OpenCVE AI on June 9, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe InCopy to any version later than 21.3 or 20.5.3 that includes the vendor‑supplied fix as outlined in Adobe’s security advisory.
  • Implement file‑type whitelisting or stricter access controls so that only trusted documents can be opened by users, reducing the likelihood that a malicious file is processed.
  • Scan all documents with a current antivirus or anti‑malware solution before opening them in InCopy to detect and block exploitation attempts.

Generated by OpenCVE AI on June 9, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:incopy:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 10 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe incopy
Vendors & Products Adobe
Adobe incopy

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InCopy versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InCopy | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Incopy
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-10T10:08:10.586Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34706

cve-icon Vulnrichment

Updated: 2026-06-10T10:08:06.500Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T18:16:43.087

Modified: 2026-06-10T13:01:33.153

Link: CVE-2026-34706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:15:16Z

Weaknesses