Skip to main content

Adobe InDesign Desktop CVE-2026-48293

| EUVD-2026-35774 HIGH
Out-of-bounds Write (CWE-787)
2026-06-09 adobe GHSA-pqhm-q8q5-gvfx
Memory Corruption Buffer Overflow RCE Indesign Desktop
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 18:53 vuln.today

DescriptionNVD

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-in user when a victim opens a maliciously crafted document file. The flaw is an out-of-bounds write (CWE-787) memory corruption issue requiring user interaction, and no public exploit has been identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target with InDesign installed
Delivery
Craft malicious INDD/IDML file
Exploit
Deliver via phishing email or shared drive
Install
Victim opens file in InDesign
C2
Trigger out-of-bounds write in parser
Execute
Hijack execution flow
Impact
Execute arbitrary code as current user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a malicious InDesign-format file (such as INDD or IDML) in a vulnerable Adobe InDesign Desktop installation at version 21.3, 20.5.3 or earlier; the CVSS vector AV:L/AC:L/PR:N/UI:R confirms local attack vector with mandatory user interaction and no pre-existing authentication on the target. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 7.8 reflects local attack vector (AV:L) with low complexity (AC:L), no privileges required (PR:N), but mandatory user interaction (UI:R) - meaning a user must be socially engineered into opening a malicious file, which materially reduces opportunistic mass exploitation potential despite the High impact across confidentiality, integrity and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious InDesign document containing a malformed structure that triggers the out-of-bounds write during parsing, then delivers it via spear-phishing email to a designer or marketing employee - for example, posing as a freelance contributor submitting layout assets. When the victim double-clicks the file and InDesign opens it, the memory corruption is triggered and the attacker's shellcode executes with the user's privileges, enabling credential theft, lateral movement, or ransomware deployment. …
Remediation Apply the patch available per vendor advisory APSB26-58 at https://helpx.adobe.com/security/products/indesign/apsb26-58.html, updating Adobe InDesign Desktop beyond the affected 21.3 and 20.5.3 branches via the Adobe Creative Cloud desktop application; exact fixed version numbers should be taken directly from that bulletin. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Adobe InDesign Desktop installations (versions 21.3 and earlier); disable the application for non-critical users; alert users to avoid opening design files from external or untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-34695 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously craft
CVE-2026-34696 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition trigge
CVE-2026-34697 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow
CVE-2026-34698 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE
CVE-2026-34699 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier is possible when a user opens a mal

Share

CVE-2026-48293 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy