What is the CVSS score of CVE-2026-48294?

CVE-2026-48294 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N. EPSS exploitation probability: 1.0%.

Which versions of Adobe Acrobat PDF Extension are affected by CVE-2026-48294?

Adobe Acrobat PDF Extension for Chrome (v26.5.2.2 and earlier) contains a cross-site scripting vulnerability that could expose sensitive session and authentication data when users visit malicious…

How to fix or mitigate CVE-2026-48294?

Within 24 hours: Inventory Chrome deployments to identify users with Adobe Acrobat PDF Extension v26.5.2.2 or earlier installed. Within 7 days: Disable the extension organization-wide via Chrome group policy or device management if business function permits; alternatively, restrict to trusted, internal-only domains. Within 30 days: Subscribe to Adobe security advisories and prepare immediate deployment of patched version (monitor for v26.5.2.3+).

Adobe Acrobat PDF Extension CVE-2026-48294

EUVD-2026-37291 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-06-16 adobe

Google XSS Adobe Adobe Acrobat Pdf Extension Chrome

7.4

CVSS 3.1 · Vendor: adobe

Severity by source

Vendor (adobe) PRIMARY

7.4 HIGH

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

vuln.today AI

7.4 HIGH

Remote web-delivered UXSS needs no privileges but requires a victim click (UI:R); scope changes across origins to disclose session data, with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 16, 2026 - 21:43 vuln.today

CVE Published

Jun 16, 2026 - 20:12 cve.org

HIGH 7.4

DescriptionCVE.org

Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

AnalysisAI

Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malicious page with UXSS payload

Delivery

Victim clicks link or loads compromised site

Exploit

Vulnerable extension processes attacker input in privileged context

Execution

Cross-origin script executes under extension scope

Persist

Session data read from other origins

Impact

Exfiltrate cookies/tokens to attacker server

Access

Attacker crafts malicious page with UXSS payload

Delivery

Victim clicks link or loads compromised site

Exploit

Vulnerable extension processes attacker input in privileged context

Execution

Cross-origin script executes under extension scope

Persist

Session data read from other origins

Impact

Exfiltrate cookies/tokens to attacker server

Vulnerability AssessmentAI

Exploitation	Victim must (1) have Adobe Acrobat PDF Extension for Chrome version 26.5.2.2 or earlier installed and enabled in Chromium-based browser, and (2) actively visit a maliciously crafted URL or interact with a compromised web page (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are consistent but moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a phishing link or compromises a frequently visited site; when a victim running the vulnerable extension visits the page, attacker-controlled script triggers the UXSS condition in the extension's privileged context. The script then reads session-scoped data (cookies, tokens, or DOM content) from other origins the user is logged into - for example a webmail or SaaS tab - and exfiltrates it. …
Remediation	Patch available per vendor advisory: update the Adobe Acrobat PDF Extension for Chrome to a version newer than 26.5.2.2 via the Chrome Web Store (https://chromewebstore.google.com/detail/adobe-acrobat-pdf-edit-co/efaidnbmnnnibpcajpcglclefindmkaj); confirm auto-updates are enabled in chrome://extensions so endpoints pick up the fix without user action. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Chrome deployments to identify users with Adobe Acrobat PDF Extension v26.5.2.2 or earlier installed. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48294 vulnerability details – vuln.today

Back

Adobe Acrobat PDF Extension CVE-2026-48294

Severity by source

CVSS VectorVendor: adobe

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code