Adobe Acrobat Code Execution Vulnerability, CVSS 8.6
Summary
CISA added CVE-2026-34621 to its Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026. The vulnerability affects Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier, with a CVSS score of 8.6. Successful exploitation allows arbitrary code execution via a malicious PDF file through prototype pollution. Federal agencies are subject to Binding Operational Directive 22-01 remediation timelines.
What changed
CISA added a new actively exploited vulnerability to its Known Exploited Vulnerabilities catalog. CVE-2026-34621 is a prototype pollution vulnerability in Adobe Acrobat Reader that allows arbitrary code execution when a user opens a malicious PDF file. The vulnerability has a CVSS score of 8.6 and affects versions through 26.001.21367.
Federal agencies must remediate this vulnerability per Binding Operational Directive 22-01 timelines. All organizations using Adobe Acrobat Reader should prioritize patching given the KEV listing indicates active exploitation in the wild. Users should avoid opening untrusted PDF files until patches are applied.
What to do next
- Review CISA KEV catalog for affected systems
- Prioritize patching Adobe Acrobat Reader installations
- Monitor Adobe security bulletins for updates
Archived snapshot
Apr 14, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: Adobe Systems Incorporated
Description
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CWE 1 Total
Learn more
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.6 | HIGH | 3.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Product Status
Learn more Versions 1 Total
Default Status: affected
affected
- affected from 0 through 26.001.21367
References 1 Total
- https://helpx.adobe.com/security/products/acrobat/apsb26-43.html vendor-advisory
Authorized Data Publishers
CISA-ADP
Updated:
2026-04-14
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-04-11 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621 (2026-04-13)
Named provisions
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.