← Back
2026-04-11 6:45CVE-2026-34621adobe
PUBLISHED5.2CWE-1321

Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Problem type

Affected products

Adobe

Acrobat Reader

<= 26.001.21367 - AFFECTED

References

helpx.adobe.com

https://helpx.adobe.com/security/products/acrobat/apsb26-43.html

vendor-advisory

GitHub Security Advisories

GHSA-vcqh-932g-m3qj

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly...

https://github.com/advisories/GHSA-vcqh-932g-m3qj

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-34621

helpx.adobe.com

https://helpx.adobe.com/security/products/acrobat/apsb26-43.html

github.com

https://github.com/advisories/GHSA-vcqh-932g-m3qj

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-34621
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-34621",
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "dateUpdated": "2026-04-11T17:06:40.544Z",
    "dateReserved": "2026-03-30T17:30:36.490Z",
    "datePublished": "2026-04-11T06:45:43.512Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe",
        "dateUpdated": "2026-04-11T06:45:43.512Z"
      },
      "datePublic": "2026-04-10T17:00:00.000Z",
      "title": "Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)",
      "descriptions": [
        {
          "lang": "en",
          "value": "Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "affected": [
        {
          "vendor": "Adobe",
          "product": "Acrobat Reader",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "26.001.21367"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)",
              "cweId": "CWE-1321",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://helpx.adobe.com/security/products/acrobat/apsb26-43.html",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "REQUIRED",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "exploitCodeMaturity": "NOT_DEFINED",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "temporalScore": 9.6,
            "temporalSeverity": "CRITICAL",
            "confidentialityRequirement": "NOT_DEFINED",
            "integrityRequirement": "NOT_DEFINED",
            "availabilityRequirement": "NOT_DEFINED",
            "modifiedAttackVector": "NETWORK",
            "modifiedAttackComplexity": "LOW",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedUserInteraction": "REQUIRED",
            "modifiedScope": "CHANGED",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedAvailabilityImpact": "HIGH",
            "environmentalScore": 9.7,
            "environmentalSeverity": "CRITICAL"
          }
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-04-11T17:06:40.544Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}