Severity by source
AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
File must be opened locally so AV:L/UI:R; 'conditions beyond attacker control' justify AC:H; no auth needed (PR:N); code execution escapes the app boundary (S:C) with full C/I/A impact.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Animate is affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
AnalysisAI
Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an Incorrect Authorization flaw (CWE-863) that lets a maliciously crafted file run code in the context of the current user. Exploitation requires the victim to open the attacker-supplied file and depends on conditions beyond the attacker's control, and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open a malicious file in Adobe Animate 2023 or 2024 (UI:R) and local delivery of that file to the target host (AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.7 (High) with vector AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H - a file-borne, client-side attack, not a remotely reachable service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious Animate project or media file and delivers it via email, a shared drive, or a download posing as a legitimate design asset. A designer opens the file in Adobe Animate 2023 or 2024, the incorrect authorization check is bypassed, and attacker code executes with the user's privileges - potentially escaping the application boundary due to the changed scope. … |
| Remediation | Update Adobe Animate 2023 and 2024 to the fixed builds released by Adobe; consult advisory APSB26-83 (https://helpx.adobe.com/security/products/animate/apsb26-83.html) for the exact patched version numbers, as they are not specified in the available data (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Adobe Animate 2023 or 2024 via endpoint detection tools or asset inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Animate 2023
View allArbitrary code execution in Adobe Animate 2023 and 2024 stems from a path traversal weakness triggered when a victim ope
Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run commands in the context of the current
Arbitrary code execution in Adobe Animate 2023 and 2024 stems from an incorrect authorization (CWE-863) weakness that le
Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an untrusted search path (CWE-426) flaw that lets a
Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run OS commands in the context of the curr
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44437
GHSA-g3c2-8rh7-fvm4