Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Prototype pollution in Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier allows arbitrary file system read operations in the context of the current user when a victim opens a malicious PDF or document. The vulnerability requires user interaction but enables confidentiality compromise with high impact; no active exploitation confirmed but the attack surface is broad given Acrobat Reader's ubiquity in document handling.
Technical ContextAI
The vulnerability stems from improper handling of object prototype attributes (CWE-1321: Improperly Controlled Modification of Object Prototype Attributes), a class of flaw in JavaScript and similar interpreted environments where attacker-controlled input can pollute the prototype chain of built-in objects. In Adobe Acrobat Reader's document processing engine, this allows manipulation of inherited properties and methods, leading to unintended file system access. The affected CPE cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:* encompasses all Acrobat Reader versions, with confirmed vulnerable versions ranging from 0 through 24.001.30362, including the extended support releases (24.x) and the current version line (26.x). The prototype pollution occurs during parsing or scripting execution within embedded JavaScript contexts in PDF documents.
RemediationAI
Apply the patched version released by Adobe as documented in APSB26-44 security bulletin (https://helpx.adobe.com/security/products/acrobat/apsb26-44.html); the advisory specifies fixed versions for both the 24.x extended support release line and the 26.x current release line. Users should update Acrobat Reader immediately through Adobe's automatic update mechanism or manual download from adobe.com. As an interim mitigation, disable JavaScript execution in Acrobat Reader preferences (Edit > Preferences > Security) and exercise caution when opening PDFs from untrusted sources, particularly those received via email or from external websites. Organizations should enforce update deployment through centralized patch management systems.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22337
GHSA-m5xm-mx43-q65f