Skip to main content

Prototype Pollution EUVDEUVD-2026-22335

| CVE-2026-34622 HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-04-14 adobe GHSA-qf67-wfx4-7jww
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 14:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 18:49 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:00 euvd
EUVD-2026-22335
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today
CVE Published
Apr 14, 2026 - 16:18 nvd
HIGH 8.6

DescriptionCVE.org

Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Prototype pollution in Adobe Acrobat Reader allows arbitrary code execution when victims open malicious PDF files. Affects Acrobat Reader versions through 26.001.21411, 24.001.30360, and 24.001.30362. Attack requires local file access with user interaction (CVSS AV:L/UI:R) but achieves scope change and full CIA impact (S:C/C:H/I:H/A:H), yielding CVSS 8.6. No public exploit identified at time of analysis. Vendor advisory available from Adobe (APSB26-44). EPSS data not provided; exploitation status limited to user-interaction-dependent local attack vector.

Technical ContextAI

This vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. In JavaScript-based applications like PDF readers with embedded scripting engines, prototype pollution occurs when an attacker can inject properties into base object prototypes (e.g., Object.prototype), causing all subsequently created objects to inherit malicious properties. Adobe Acrobat Reader incorporates a JavaScript engine for interactive PDF features, forms, and automation. By crafting PDF files with malicious JavaScript that manipulates prototype chains, attackers can override built-in methods or inject executable payloads. The CPE identifier cpe:2.3:a:adobe:acrobat_reader indicates all Adobe Acrobat Reader products are in scope. The CVSS scope change (S:C) suggests the vulnerability can break out of the application's normal security context, potentially affecting the underlying operating system or other processes running under the victim's user account.

RemediationAI

Apply the vendor-released patch by upgrading Adobe Acrobat Reader to the versions specified in Adobe Security Bulletin APSB26-44 available at https://helpx.adobe.com/security/products/acrobat/apsb26-44.html. Adobe typically releases patches for both continuous and classic tracks simultaneously; consult the bulletin for exact fixed version numbers for each track (specific fix versions not provided in source data). For continuous track users, upgrade to the latest version post-26.001.21411; for classic track users, upgrade beyond 24.001.30362. Until patching is complete, implement defense-in-depth controls: restrict PDF sources to trusted domains, disable JavaScript execution in Acrobat Reader preferences (Edit → Preferences → JavaScript → uncheck Enable JavaScript), use email gateway sandboxing to detonate suspicious PDFs, and educate users on social engineering risks. Organizations may consider alternative PDF readers without JavaScript engines for users who do not require interactive PDF features. Verify successful patching by checking Help → About Adobe Acrobat Reader to confirm version post-remediation.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

EUVD-2026-22335 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy