Description
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Published: 2026-06-09
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Affected Systems

The affected product is Adobe Acrobat Reader for all operating systems that shipped the specified versions. Users running any of the listed release numbers, or earlier releases that share the same code base, are at risk until they upgrade to a patched revision provided by Adobe.

Risk and Exploitability

This vulnerability has a CVSS score of 7.7 and is not listed in the CISA KEV catalog. Its EPSS score is < 1%, indicating the exploit probability is low. Because the exploit requires user interaction to open a malicious file, the attack likely involves user interaction such as social engineering or phishing; however, this inference is based on the description and not explicitly stated in the CVE data. Once triggered, the attacker can execute arbitrary code with the victim's user rights, potentially escalating privileges if the victim has administrative rights. The absence of a KEV listing does not negate the need to patch promptly, as the CVSS score signals a substantial risk.

Generated by OpenCVE AI on June 24, 2026 at 09:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Acrobat Reader update that addresses CVE-2026-47937
  • Configure the operating system to restrict write access to Acrobat's installation directory, preventing unauthorized changes to executable paths
  • Enforce least-priority user accounts for file viewer applications and implement policy to disallow automatic execution of PDF files from untrusted sources
  • Regularly check Adobe’s security advisories and apply patches as they are released

Generated by OpenCVE AI on June 24, 2026 at 09:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe acrobat
Adobe acrobat Dc
Adobe acrobat Reader Dc
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*
cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*
cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe acrobat
Adobe acrobat Dc
Adobe acrobat Reader Dc
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 10 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe acrobat Reader
Vendors & Products Adobe
Adobe acrobat Reader

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Title Acrobat Reader | Uncontrolled Search Path Element (CWE-427)
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Acrobat Acrobat Dc Acrobat Reader Acrobat Reader Dc
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-23T21:19:36.150Z

Reserved: 2026-05-20T15:50:31.362Z

Link: CVE-2026-47937

cve-icon Vulnrichment

Updated: 2026-06-10T10:04:21.940Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T21:17:23.463

Modified: 2026-06-12T19:23:47.600

Link: CVE-2026-47937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:45:14Z

Weaknesses
  • CWE-427

    Uncontrolled Search Path Element