Description
Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-06-16
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Acrobat PDF Extension for Chrome is affected by a UXSS‑style vulnerability that allows an attacker to read data from the victim’s session. The flaw can be triggered when a user visits a maliciously crafted URL or interacts with a compromised web page. The vulnerability bypasses same‑origin restrictions, enabling disclosure of sensitive session information and other confidential data. The impact is primarily the loss of confidentiality of user session data and the possibility of session hijacking or credential theft.

Affected Systems

Adobe Acrobat PDF Extension for Chrome, versions 26.5.2.2 and earlier, are impacted. Users who have installed or upgraded to any earlier build of the extension via the Chrome Web Store are at risk.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity, but the EPSS score of less than 1% points to a low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires a user to visit a malicious or compromised web page, so the threat vector is primarily user interaction. Given the moderate severity and low exploit probability, the overall risk is elevated but unlikely to be widely abused without targeted phishing campaigns.

Generated by OpenCVE AI on June 17, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Adobe Acrobat PDF Extension to the latest version available in the Chrome Web Store to eliminate the cross‑origin data disclosure flaw.
  • If a quick update is not possible, disable or uninstall the extension until an official fix is released to remove the attack surface.
  • Consider blocking or filtering URLs that are known to host malicious content or that target the PDF extension to reduce the chance of a user visiting an exploit page.

Generated by OpenCVE AI on June 17, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Acrobat Pdf Extension (chrome)
Vendors & Products Adobe
Adobe adobe Acrobat Pdf Extension (chrome)

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title UXSS Cross‑Origin Data Disclosure in Adobe Acrobat PDF Extension for Chrome

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}


Subscriptions

Adobe Adobe Acrobat Pdf Extension (chrome)
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-16T20:59:39.571Z

Reserved: 2026-05-21T15:28:38.135Z

Link: CVE-2026-48294

cve-icon Vulnrichment

Updated: 2026-06-16T20:59:35.398Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:35Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')