Skip to main content

Prototype Pollution CVE-2026-34626

| EUVDEUVD-2026-22337 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-04-14 adobe GHSA-m5xm-mx43-q65f
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 18:48 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:00 euvd
EUVD-2026-22337
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today
CVE Published
Apr 14, 2026 - 16:18 nvd
MEDIUM 6.3

DescriptionCVE.org

Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Prototype pollution in Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier allows arbitrary file system read operations in the context of the current user when a victim opens a malicious PDF or document. The vulnerability requires user interaction but enables confidentiality compromise with high impact; no active exploitation confirmed but the attack surface is broad given Acrobat Reader's ubiquity in document handling.

Technical ContextAI

The vulnerability stems from improper handling of object prototype attributes (CWE-1321: Improperly Controlled Modification of Object Prototype Attributes), a class of flaw in JavaScript and similar interpreted environments where attacker-controlled input can pollute the prototype chain of built-in objects. In Adobe Acrobat Reader's document processing engine, this allows manipulation of inherited properties and methods, leading to unintended file system access. The affected CPE cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:* encompasses all Acrobat Reader versions, with confirmed vulnerable versions ranging from 0 through 24.001.30362, including the extended support releases (24.x) and the current version line (26.x). The prototype pollution occurs during parsing or scripting execution within embedded JavaScript contexts in PDF documents.

RemediationAI

Apply the patched version released by Adobe as documented in APSB26-44 security bulletin (https://helpx.adobe.com/security/products/acrobat/apsb26-44.html); the advisory specifies fixed versions for both the 24.x extended support release line and the 26.x current release line. Users should update Acrobat Reader immediately through Adobe's automatic update mechanism or manual download from adobe.com. As an interim mitigation, disable JavaScript execution in Acrobat Reader preferences (Edit > Preferences > Security) and exercise caution when opening PDFs from untrusted sources, particularly those received via email or from external websites. Organizations should enforce update deployment through centralized patch management systems.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-34626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy