Skip to main content

Adobe Animate CVE-2026-48345

| EUVDEUVD-2026-44440 HIGH
OS Command Injection (CWE-78)
2026-07-14 adobe GHSA-3354-3vp3-3wjg
8.2
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
8.2 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local file-open attack needing no attacker privileges (PR:N) but victim interaction (UI:R); code runs as the current user with full CIA impact, contained to that user context (S:U).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:57 vuln.today
CVE Published
Jul 14, 2026 - 19:53 nvd
HIGH 8.2

DescriptionCVE.org

Animate is affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run commands in the context of the current user via an OS command injection flaw (CWE-78) triggered when a victim opens a maliciously crafted file. The scope-changed CVSS 3.1 score of 8.2 reflects that successful exploitation can affect resources beyond the vulnerable application. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious Animate file with injected OS command
Delivery
Deliver file via email or shared storage
Exploit
Victim opens file in Adobe Animate 2023/2024
Execution
Special characters break into shell context
Persist
Execute arbitrary code as current user
Impact
Impact resources beyond app scope

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open an attacker-crafted malicious file in a vulnerable Adobe Animate 2023 or 2024 installation - that user interaction (UI:R) is the mandatory trigger, and the attack vector is local (AV:L), so there is no remote or network-facing exposure and no self-propagating path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, base 8.2) describes a local-vector, low-complexity issue that nonetheless requires user interaction (opening a malicious file) and yields high confidentiality, integrity, and availability impact with a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious Adobe Animate project or asset file that embeds OS command-injection payload data and delivers it via email, a shared drive, or a download posing as legitimate creative content. When a designer opens the file in a vulnerable Animate 2023 or 2024 build, the embedded payload breaks out into an OS command context and executes arbitrary code as that user. …
Remediation Apply the vendor update referenced in Adobe security bulletin APSB26-83 (https://helpx.adobe.com/security/products/animate/apsb26-83.html) - Patch available per vendor advisory, though the exact fixed version was not included in the provided data and must be read from APSB26-83. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, send a security alert to all Adobe Animate 2023 and 2024 users advising them to reject files from untrusted sources and implement email gateway rules to block suspicious attachments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy