Skip to main content

Adobe Animate EUVDEUVD-2026-44439

| CVE-2026-48347 HIGH
OS Command Injection (CWE-78)
2026-07-14 adobe GHSA-8m86-2cxp-pw9w
7.7
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.7 HIGH
AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

File must be opened locally (AV:L, UI:R); the opening user needs no special privilege so PR:N (contra Adobe's PR:H); code runs in current user context so S:U with full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:56 vuln.today
CVE Published
Jul 14, 2026 - 19:53 nvd
HIGH 7.7

DescriptionCVE.org

Animate is affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run OS commands in the context of the current user when a victim opens a maliciously crafted file. The flaw is an OS command injection (CWE-78) with no public exploit identified at time of analysis and no active exploitation reported in CISA KEV; risk hinges on social-engineering a user into opening the file. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious Animate file with injected command
Delivery
Deliver file via email or download
Exploit
Victim opens file in Animate 2023/2024
Execution
Payload reaches OS command interpreter
Impact
Execute arbitrary code as current user

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim running Adobe Animate 2023 or 2024 to open a specifically crafted malicious file (UI:R) locally (AV:L); the attacker cannot trigger it remotely without that user action. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to moderate, socially-gated risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious Adobe Animate project or asset file with embedded command-injection payload and delivers it via email, chat, or a download link, relying on social engineering. When the victim opens the file in Animate 2023 or 2024, the embedded payload is passed to an OS command interpreter and executes arbitrary commands in the victim's user context. …
Remediation Apply the updates referenced in Adobe security bulletin APSB26-83 (https://helpx.adobe.com/security/products/animate/apsb26-83.html) for Adobe Animate 2023 and 2024; the exact fixed build numbers are listed in that advisory and should be pulled directly from it rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running Adobe Animate 2023 or 2024 and alert users to avoid opening files from untrusted sources; block email delivery of file types commonly used with Animate (XFL, ANI) from external senders. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy