What is the CVSS score of CVE-2026-34706?

CVE-2026-34706 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Adobe InCopy are affected by CVE-2026-34706?

Adobe InCopy versions 21.3 and earlier contain an arbitrary code execution vulnerability triggered when users open maliciously crafted files, affecting creative and content teams across the…

How to fix or mitigate CVE-2026-34706?

Within 24 hours: Inventory all InCopy installations; communicate to users that opening files from untrusted external sources presents immediate risk and should be deferred. Within 7 days: Restrict InCopy file access to internal sources only; if InCopy is non-critical to operations, disable installation on workstations pending patch release. Within 30 days: Monitor Adobe PSIRT advisory APSB26-59 for patch release; prepare rapid deployment of patched version (exact version TBD per Adobe advisory) to all affected systems upon availability.

Adobe InCopy CVE-2026-34706

EUVD-2026-35786 HIGH

Out-of-bounds Write (CWE-787)

2026-06-09 adobe

GHSA-vrf2-x73g-j53m

Memory Corruption Buffer Overflow RCE Incopy

7.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 18:54 vuln.today

DescriptionCVE.org

InCopy versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe InCopy 21.3, 20.5.3, and earlier allows attackers to run code as the current user when a victim opens a maliciously crafted file. The flaw stems from an out-of-bounds write (CWE-787) in file parsing logic, carries a CVSS 7.8 (local, user-interaction required), and has no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify InCopy-using target

Delivery

Deliver crafted .icml via email or shared drive

Exploit

Victim opens file in InCopy

Install

Out-of-bounds write triggered in parser

Shellcode executes as current user

Execute

Establish persistence or steal credentials

Impact

Pivot into editorial systems

Recon

Identify InCopy-using target

Delivery

Deliver crafted .icml via email or shared drive

Exploit

Victim opens file in InCopy

Install

Out-of-bounds write triggered in parser

Shellcode executes as current user

Execute

Establish persistence or steal credentials

Impact

Pivot into editorial systems

Vulnerability AssessmentAI

Exploitation	The victim must open an attacker-supplied malicious InCopy document (UI:R in the CVSS vector), and the targeted host must be running an unpatched InCopy 21.3 / 20.5.3 or earlier installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects local attack vector with required user interaction but full CIA impact, which is characteristic of client-side document-parsing bugs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker emails a publishing-house editor a malicious InCopy assignment file disguised as a legitimate story or correction from a freelance writer; when the editor opens the file in InCopy, the out-of-bounds write is triggered during parsing and the attacker's shellcode executes with the editor's privileges, enabling credential theft, lateral movement into editorial CMS systems, or deployment of ransomware. No public exploit is identified at time of analysis, but the bug class and user-interaction-only trigger are well within reach of motivated actors who craft a working POC from the advisory.
Remediation	Apply the patch available per Adobe advisory APSB26-59 (https://helpx.adobe.com/security/products/incopy/apsb26-59.html) by upgrading to the fixed InCopy releases listed by the vendor - exact fixed build numbers should be taken directly from that bulletin, as they are not enumerated in the CVE record itself. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all InCopy installations; communicate to users that opening files from untrusted external sources presents immediate risk and should be deferred. …

Threat intelligence, references, and detailed analysis are available after sign-in.