CVE-2026-34621
CVE-2026-34621 is a high-severity vulnerability in Adobe Acrobat Dc with a CVSS 3.x base score of 8.6. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-13). The underlying weakness is classified as CWE-1321.
Key facts
- Severity: High (CVSS 3.x base score 8.6)
- EPSS exploit prediction: 7% (93rd percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-04-13)
- EU (EUVD) id: EUVD-2026-21675
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-04-13)
- Weakness: CWE-1321
- Affected product: Adobe Acrobat Dc
- Published:
- Last modified:
Description
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Frequently asked questions
- What is CVE-2026-34621?
- Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- How severe is CVE-2026-34621?
- CVE-2026-34621 has a CVSS 3.x base score of 8.6, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-34621 being actively exploited?
- Yes. CVE-2026-34621 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2026-34621?
- CVE-2026-34621 primarily affects Adobe Acrobat Dc. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-34621?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2026-34621 have an EU (EUVD) identifier?
- Yes. CVE-2026-34621 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-21675. It is also flagged as exploited in the EUVD (since 2026-04-13).
- When was CVE-2026-34621 published?
- CVE-2026-34621 was published on 2026-04-11 and last updated on 2026-06-17.
References
- https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621
Affected products (3)
- cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*
- cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*
- cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*
More vulnerabilities in Adobe Acrobat Dc
- CVE-2018-4872 — Critical (CVSS 10.0): An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier…
- CVE-2016-1044 — Critical (CVSS 10.0): Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and…
- CVE-2016-1041 — Critical (CVSS 10.0): Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and…
- CVE-2016-1038 — Critical (CVSS 10.0): Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and…
- CVE-2015-7622 — Critical (CVSS 10.0): Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before…
- CVE-2015-6691 — Critical (CVSS 10.0): Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and…
All CVEs affecting Adobe Acrobat Dc →
Other CWE-1321 (Prototype Pollution) vulnerabilities
- CVE-2026-25142 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__…
- CVE-2024-39008 — Critical (CVSS 10.0): robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This…
- CVE-2024-38999 — Critical (CVSS 10.0): jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This…
- CVE-2022-29823 — Critical (CVSS 10.0): Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object.…
- CVE-2022-24760 — Critical (CVSS 10.0): Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution…
- CVE-2020-12079 — Critical (CVSS 10.0): Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron…