Severity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Local file-open attack needing no prior privileges (PR:N, UI:R, AV:L); untrusted-library load yields full code execution as the user (C/I/A:H), scope unchanged since code runs in the same user context.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Animate is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
AnalysisAI
Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an untrusted search path (CWE-426) flaw that lets a malicious file, when opened by a victim, load attacker-controlled code in the context of the current user. The issue was reported by Adobe (advisory APSB26-83), requires user interaction, and carries a CVSS 3.1 base score of 7.9 with a changed scope. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open an attacker-supplied malicious file in Adobe Animate 2023 or 2024, and - because this is an untrusted search path flaw - for the attacker to place a malicious library where Animate's resolver will find it (typically the same directory as the opened file or another writable location on the search path). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N (7.9, High) describes a local, low-complexity attack that requires the victim to open a malicious file, so this is a client-side/social-engineering-driven vulnerability rather than a remotely reachable service flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious Adobe Animate project file bundled with a rogue library file and delivers it to a victim via email or a download. When the victim opens the project in a vulnerable Animate 2023/2024 install, the application loads the attacker's library from the untrusted search path and runs arbitrary code as that user. … |
| Remediation | Apply the Adobe-provided update for Animate 2023 and 2024 as described in advisory APSB26-83 (https://helpx.adobe.com/security/products/animate/apsb26-83.html); the exact patched version string is published there and was not included in this intelligence set, so pull it from the advisory rather than assuming a build number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, issue security guidance to all Animate users restricting file opening to validated internal sources only and disabling external file imports where feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Animate 2023
View allArbitrary code execution in Adobe Animate 2023 and 2024 stems from a path traversal weakness triggered when a victim ope
Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run commands in the context of the current
Arbitrary code execution in Adobe Animate 2023 and 2024 stems from an incorrect authorization (CWE-863) weakness that le
Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run OS commands in the context of the curr
Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an Incorrect Authorization flaw (CWE-863) that lets
Same weakness CWE-426 – Untrusted Search Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44441
GHSA-9pm8-37fw-r2f6