EUVD-2026-22651
GHSA-qgg3-vppq-vr2q
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high impact to confidentiality, integrity, and availability when users open malicious files. The vulnerability requires local access and user interaction (opening a crafted document), with no authentication barriers (CVSS PR:N). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must open a malicious file in Adobe InDesign Desktop versions 20.5.2, 21.2, or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk assessment reveals moderate-to-high concern despite the 7.8 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious InDesign document (.indd file) containing specially formatted data that triggers the heap-based buffer overflow during file parsing. The attacker delivers this weaponized file via email, file sharing, or compromised download sites, using social engineering to convince a designer or publisher to open it. … |
| Remediation | Vendor-released patch details are available through Adobe Security Bulletin APSB26-32 at https://helpx.adobe.com/security/products/indesign/apsb26-32.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Adobe InDesign installations (versions 20.5.2, 21.2, and earlier) across the organization and disable external document handling where operationally feasible; notify design and publishing teams to avoid opening files from untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-i
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously craft
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition trigge
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE
Share
External POC / Exploit Code
Leaving vuln.today