Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Articles & Coverage 1
AnalysisAI
Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis.
Technical ContextAI
This vulnerability exploits CWE-1321 (Prototype Pollution), a class of attack where attackers modify JavaScript object prototypes in runtime environments. Adobe Acrobat Reader embeds JavaScript engines for PDF interactivity (form validation, calculations, document actions). By injecting malicious properties into Object.prototype or other built-in prototypes through specially crafted PDF JavaScript, attackers can alter application behavior globally. When legitimate code accesses polluted properties, the injected values trigger unintended execution paths. Affected versions span Acrobat Reader 24.001.30356, 26.001.21367 and all earlier releases (per EUVD data confirming versions 0 through 26.001.21367). The scope change (S:C) in CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, consistent with JavaScript prototype chains influencing application-wide execution contexts.
RemediationAI
Apply vendor-released patches from Adobe Security Bulletin APSB26-43 available at https://helpx.adobe.com/security/products/acrobat/apsb26-43.html. While the input data does not specify exact fixed versions, Adobe's standard patching cadence typically releases updates simultaneously with bulletin publication-consult APSB26-43 for platform-specific installers and fixed version numbers. Enterprise deployments should use centralized update mechanisms (Adobe Update Server, SCCM, Intune) to ensure coverage across endpoints. Interim risk reduction measures include: disable JavaScript execution in Acrobat Reader preferences (Edit > Preferences > JavaScript > uncheck 'Enable Acrobat JavaScript'), though this may break legitimate PDF form functionality; implement email gateway filtering to block PDF attachments from untrusted sources; educate users on PDF phishing risks and suspicious document indicators (unexpected macro prompts, external resource loads). Protected View mode (if available in affected versions) provides sandboxing for untrusted documents but should not replace patching.
More in Prototype Pollution
View allPrototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21675
GHSA-vcqh-932g-m3qj