Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Prototype pollution in Adobe Acrobat Reader allows arbitrary code execution when victims open malicious PDF files. Affects Acrobat Reader versions through 26.001.21411, 24.001.30360, and 24.001.30362. Attack requires local file access with user interaction (CVSS AV:L/UI:R) but achieves scope change and full CIA impact (S:C/C:H/I:H/A:H), yielding CVSS 8.6. No public exploit identified at time of analysis. Vendor advisory available from Adobe (APSB26-44). EPSS data not provided; exploitation status limited to user-interaction-dependent local attack vector.
Technical ContextAI
This vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. In JavaScript-based applications like PDF readers with embedded scripting engines, prototype pollution occurs when an attacker can inject properties into base object prototypes (e.g., Object.prototype), causing all subsequently created objects to inherit malicious properties. Adobe Acrobat Reader incorporates a JavaScript engine for interactive PDF features, forms, and automation. By crafting PDF files with malicious JavaScript that manipulates prototype chains, attackers can override built-in methods or inject executable payloads. The CPE identifier cpe:2.3:a:adobe:acrobat_reader indicates all Adobe Acrobat Reader products are in scope. The CVSS scope change (S:C) suggests the vulnerability can break out of the application's normal security context, potentially affecting the underlying operating system or other processes running under the victim's user account.
RemediationAI
Apply the vendor-released patch by upgrading Adobe Acrobat Reader to the versions specified in Adobe Security Bulletin APSB26-44 available at https://helpx.adobe.com/security/products/acrobat/apsb26-44.html. Adobe typically releases patches for both continuous and classic tracks simultaneously; consult the bulletin for exact fixed version numbers for each track (specific fix versions not provided in source data). For continuous track users, upgrade to the latest version post-26.001.21411; for classic track users, upgrade beyond 24.001.30362. Until patching is complete, implement defense-in-depth controls: restrict PDF sources to trusted domains, disable JavaScript execution in Acrobat Reader preferences (Edit → Preferences → JavaScript → uncheck Enable JavaScript), use email gateway sandboxing to detonate suspicious PDFs, and educate users on social engineering risks. Organizations may consider alternative PDF readers without JavaScript engines for users who do not require interactive PDF features. Verify successful patching by checking Help → About Adobe Acrobat Reader to confirm version post-remediation.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22335
GHSA-qf67-wfx4-7jww