Skip to main content

Adobe Animate CVE-2026-48348

| EUVDEUVD-2026-44437 HIGH
Incorrect Authorization (CWE-863)
2026-07-14 adobe GHSA-g3c2-8rh7-fvm4
7.7
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.7 HIGH
AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
7.7 HIGH

File must be opened locally so AV:L/UI:R; 'conditions beyond attacker control' justify AC:H; no auth needed (PR:N); code execution escapes the app boundary (S:C) with full C/I/A impact.

3.1 AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:56 vuln.today
CVE Published
Jul 14, 2026 - 19:53 nvd
HIGH 7.7

DescriptionCVE.org

Animate is affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an Incorrect Authorization flaw (CWE-863) that lets a maliciously crafted file run code in the context of the current user. Exploitation requires the victim to open the attacker-supplied file and depends on conditions beyond the attacker's control, and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious Animate file
Delivery
Deliver via email or shared asset
Exploit
Victim opens file in Animate
Execution
Incorrect authorization check bypassed
Persist
Execute code as current user
Impact
Scope change impacts host session

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a malicious file in Adobe Animate 2023 or 2024 (UI:R) and local delivery of that file to the target host (AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.7 (High) with vector AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H - a file-borne, client-side attack, not a remotely reachable service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious Animate project or media file and delivers it via email, a shared drive, or a download posing as a legitimate design asset. A designer opens the file in Adobe Animate 2023 or 2024, the incorrect authorization check is bypassed, and attacker code executes with the user's privileges - potentially escaping the application boundary due to the changed scope. …
Remediation Update Adobe Animate 2023 and 2024 to the fixed builds released by Adobe; consult advisory APSB26-83 (https://helpx.adobe.com/security/products/animate/apsb26-83.html) for the exact patched version numbers, as they are not specified in the available data (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Adobe Animate 2023 or 2024 via endpoint detection tools or asset inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy