Skip to main content

Adobe Acrobat Reader CVE-2026-47937

| EUVD-2026-35826 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-09 adobe GHSA-4446-c973-3qv5
Adobe RCE Acrobat Reader
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

Local file open with user interaction and a low-privileged user context (PR:L, UI:R); successful DLL hijack yields full C/I/A impact and a scope change as loaded code escapes Reader's intended boundary.

3.1 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jun 12, 2026 - 19:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 19:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 19:37 vuln.today
cvss_changed
CVSS changed
Jun 12, 2026 - 19:37 NVD
7.4 (HIGH) 8.2 (HIGH)
Analysis Generated
Jun 09, 2026 - 20:53 vuln.today

DescriptionNVD

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Articles & Coverage 1

News 19 New Adobe Vulnerabilities - 3 Critical, 16 High Severity Jun 10, 2026

AnalysisAI

Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs via an uncontrolled search path element (DLL/binary search-order hijack) that runs attacker-supplied code in the current user's context when a victim opens a malicious file. Adobe addressed the issue in advisory APSB26-63; there is no public exploit identified at time of analysis, the EPSS score is very low (0.03%, 8th percentile), and CISA SSVC marks exploitation as 'none' with no automation potential, indicating opportunistic-only risk today despite the high CVSS base score of 8.2.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stage malicious PDF and rogue DLL together
Delivery
Deliver bundle via share or archive
Exploit
Victim opens PDF in Reader
Execution
Reader loads attacker DLL via insecure search path
Persist
Code executes as current user
Impact
Scope-changed impact on host resources
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a malicious file in Adobe Acrobat Reader (UI:R per CVSS) from a directory that also contains an attacker-supplied library/binary placed by the attacker - typically via a crafted archive, network share, removable media, or download bundle, since the search path element loaded by Reader is influenced by the file's surrounding directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge sharply: CVSS 8.2 reflects high confidentiality, integrity, and availability impact with scope change, but AV:L plus UI:R require local file access and a user opening the malicious document, which already constrains mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker delivers a ZIP or shared-folder bundle containing a benign-looking PDF alongside a malicious DLL whose name matches a library Acrobat Reader resolves via an insecure search path; the victim extracts the archive and double-clicks the PDF, causing Reader to load the attacker's DLL from the document's directory and execute code as the current user. No public exploit is identified at time of analysis, but the technique is well-understood and reusable from existing search-order-hijack tooling.
Remediation Apply the fixed releases published in Adobe Security Bulletin APSB26-63 (https://helpx.adobe.com/security/products/acrobat/apsb26-63.html) - upgrade Acrobat Reader to a version newer than 24.001.30365 in the 24.x branch and newer than 26.001.21651 in the 26.x branch as specified by Adobe; exact patched version numbers should be taken directly from APSB26-63 rather than invented. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory Adobe Acrobat Reader deployments and document user populations affected. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47915 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier results from a use-afte
CVE-2026-47916 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) occurs when a victim
CVE-2026-47917 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a vi
CVE-2026-47918 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is triggered when a

CVE-2026-47919 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is possible when a v

Share

CVE-2026-47937 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy