What is the CVSS score of CVE-2026-27283?

CVE-2026-27283 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Indesign Desktop are affected by CVE-2026-27283?

Adobe InDesign Desktop versions 20.5.2 and 21.2 and earlier contain a use-after-free vulnerability enabling arbitrary code execution when users open maliciously crafted files, potentially…

How to fix or mitigate CVE-2026-27283?

Within 24 hours: Inventory all InDesign Desktop installations and identify affected versions (20.5.2, 21.2, and earlier). Within 7 days: Implement file-source restrictions and user awareness training prohibiting opening InDesign files from untrusted sources; consider disabling InDesign file handling in email clients where feasible. Within 30 days: Monitor Adobe security advisories for patch availability and plan immediate deployment upon release; evaluate migration to later versions if available through your Adobe licensing agreement.

Indesign Desktop CVE-2026-27283

EUVD-2026-22436 HIGH

Use After Free (CWE-416)

2026-04-14 adobe

GHSA-565x-2q82-2jr2

Denial Of Service Use After Free RCE Memory Corruption Indesign Desktop

7.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 15:37 vuln.today

cvss_changed

Analysis Generated

Apr 14, 2026 - 18:49 vuln.today

EUVD ID Assigned

Apr 14, 2026 - 17:00 euvd

EUVD-2026-22436

Analysis Generated

Apr 14, 2026 - 17:00 vuln.today

CVE Published

Apr 14, 2026 - 16:45 nvd

HIGH 7.8

DescriptionCVE.org

InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier allows unauthenticated attackers to execute malicious code with current user privileges through maliciously crafted files. The use-after-free vulnerability requires user interaction (opening a weaponized InDesign file) but offers high impact across confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious InDesign file

Delivery

Deliver via email/file share

Exploit

User opens weaponized document

Execution

Trigger use-after-free in parser

Persist

Execute arbitrary code as current user

Impact

Achieve persistence/lateral movement

Access

Craft malicious InDesign file

Delivery

Deliver via email/file share

Exploit

User opens weaponized document

Execution

Trigger use-after-free in parser

Persist

Execute arbitrary code as current user

Impact

Achieve persistence/lateral movement

Vulnerability AssessmentAI

Exploitation	The victim must open a malicious file in Adobe InDesign Desktop versions 20.5.2, 21.2, or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents moderate real-world risk despite its high CVSS base score of 7.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious InDesign project file (.indd) containing specially formatted data structures that trigger use-after-free conditions during parsing. The weaponized file is delivered via email to graphic designers at a target organization, disguised as a legitimate project request from a prospective client or partner agency. …
Remediation	Apply vendor-released patches detailed in Adobe Security Bulletin APSB26-32 available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all InDesign Desktop installations and identify affected versions (20.5.2, 21.2, and earlier). …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48293 HIGH This Week

7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-i

CVE-2026-34695 HIGH This Week

7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously craft

CVE-2026-34696 HIGH This Week

7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition trigge

CVE-2026-34697 HIGH This Week

7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow

CVE-2026-34698 HIGH This Week

7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE

CVE-2026-27283 vulnerability details – vuln.today

Back

Indesign Desktop CVE-2026-27283

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code