Skip to main content

Prototype Pollution CVE-2026-34621

| EUVDEUVD-2026-21675 HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-04-11 psirt@adobe.com GHSA-vcqh-932g-m3qj
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Added to CISA KEV
Apr 13, 2026 - 18:02 CISA
Severity Changed
Apr 12, 2026 - 05:22 NVD
CRITICAL HIGH
CVSS changed
Apr 12, 2026 - 05:22 NVD
9.6 (CRITICAL) 8.6 (HIGH)
EUVD ID Assigned
Apr 11, 2026 - 07:25 euvd
EUVD-2026-21675
Analysis Generated
Apr 11, 2026 - 07:25 vuln.today
CVE Published
Apr 11, 2026 - 07:16 nvd
CRITICAL 9.6

DescriptionCVE.org

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis.

Technical ContextAI

This vulnerability exploits CWE-1321 (Prototype Pollution), a class of attack where attackers modify JavaScript object prototypes in runtime environments. Adobe Acrobat Reader embeds JavaScript engines for PDF interactivity (form validation, calculations, document actions). By injecting malicious properties into Object.prototype or other built-in prototypes through specially crafted PDF JavaScript, attackers can alter application behavior globally. When legitimate code accesses polluted properties, the injected values trigger unintended execution paths. Affected versions span Acrobat Reader 24.001.30356, 26.001.21367 and all earlier releases (per EUVD data confirming versions 0 through 26.001.21367). The scope change (S:C) in CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, consistent with JavaScript prototype chains influencing application-wide execution contexts.

RemediationAI

Apply vendor-released patches from Adobe Security Bulletin APSB26-43 available at https://helpx.adobe.com/security/products/acrobat/apsb26-43.html. While the input data does not specify exact fixed versions, Adobe's standard patching cadence typically releases updates simultaneously with bulletin publication-consult APSB26-43 for platform-specific installers and fixed version numbers. Enterprise deployments should use centralized update mechanisms (Adobe Update Server, SCCM, Intune) to ensure coverage across endpoints. Interim risk reduction measures include: disable JavaScript execution in Acrobat Reader preferences (Edit > Preferences > JavaScript > uncheck 'Enable Acrobat JavaScript'), though this may break legitimate PDF form functionality; implement email gateway filtering to block PDF attachments from untrusted sources; educate users on PDF phishing risks and suspicious document indicators (unexpected macro prompts, external resource loads). Protected View mode (if available in affected versions) provides sandboxing for untrusted documents but should not replace patching.

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

CVE-2024-38983 CRITICAL POC
9.8 Jul 30

Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial

Share

CVE-2026-34621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy