What is the CVSS score of CVE-2026-48291?

CVE-2026-48291 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Adobe Format Plugins are affected by CVE-2026-48291?

Adobe Format Plugins versions 1.1.2 and earlier contain a critical heap-based buffer overflow enabling arbitrary code execution when users open malicious files, exposing all organizations using these…

How to fix or mitigate CVE-2026-48291?

Within 24 hours: Identify and inventory all systems running Adobe Format Plugins versions ≤1.1.2; disable the plugins if not operationally essential, or revoke user permissions to open external files within the plugin interface. Within 7 days: Deploy user security awareness training on external file handling and source verification; configure email gateway filtering rules for attachments likely to trigger Adobe plugins; enable endpoint process logging and monitoring for Adobe plugin execution. Within 30 days: Monitor Adobe Security Bulletin APSB26-65 for patch release; develop and test patch deployment procedures; evaluate alternative file handling solutions if patches remain unavailable beyond 30 days.

Adobe Format Plugins CVE-2026-48291

EUVD-2026-35835 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-06-09 psirt@adobe.com

GHSA-rf2g-jcmc-354j

Heap Overflow Buffer Overflow RCE Format Plugins

7.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 21:34 vuln.today

DescriptionNVD

Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe Format Plugins versions 1.1.2 and earlier occurs via a heap-based buffer overflow triggered when a victim opens a malicious file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious Format Plugins file

Delivery

Deliver via phishing or download

Exploit

Victim opens file in Adobe app

Execution

Heap buffer overflow in parser

Persist

Hijack control flow

Impact

Execute code as current user

Access

Craft malicious Format Plugins file

Delivery

Deliver via phishing or download

Exploit

Victim opens file in Adobe app

Execution

Heap buffer overflow in parser

Persist

Hijack control flow

Impact

Execute code as current user

Vulnerability AssessmentAI

Exploitation	Exploitation requires the victim to open an attacker-supplied malicious file using an Adobe application that loads Format Plugins version 1.1.2 or earlier - this is explicitly stated in the description and reflected by UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects a local attack vector with low complexity, no privileges required, but mandatory user interaction - consistent with a client-side file-parsing bug rather than a server-side or remote unauthenticated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious file in a format handled by Adobe Format Plugins and delivers it via phishing email, a malicious download link, or a watering-hole site. When the target opens the file in an Adobe application that loads the vulnerable plugin (version 1.1.2 or earlier), the malformed structures trigger a heap-based buffer overflow during parsing, resulting in arbitrary code execution under the user's account. …
Remediation	Apply the vendor-released patch per Adobe Security Bulletin APSB26-65 (https://helpx.adobe.com/security/products/formatplugins/apsb26-65.html) by upgrading Format Plugins to the fixed version identified in that advisory; the exact patched version string is not enumerated in the available intelligence, so administrators must consult the bulletin directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running Adobe Format Plugins versions ≤1.1.2; disable the plugins if not operationally essential, or revoke user permissions to open external files within the plugin interface. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48292 HIGH This Week

7.8 Jun 09

Arbitrary code execution in Adobe Format Plugins 1.1.2 and earlier occurs through a heap-based buffer overflow that exec

CVE-2026-48291 vulnerability details – vuln.today

Back

Adobe Format Plugins CVE-2026-48291

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code