Skip to main content

Adobe Animate EUVDEUVD-2026-44441

| CVE-2026-48346 HIGH
Untrusted Search Path (CWE-426)
2026-07-14 adobe GHSA-9pm8-37fw-r2f6
7.9
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.9 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
7.8 HIGH

Local file-open attack needing no prior privileges (PR:N, UI:R, AV:L); untrusted-library load yields full code execution as the user (C/I/A:H), scope unchanged since code runs in the same user context.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:57 vuln.today
CVE Published
Jul 14, 2026 - 19:53 nvd
HIGH 7.9

DescriptionCVE.org

Animate is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an untrusted search path (CWE-426) flaw that lets a malicious file, when opened by a victim, load attacker-controlled code in the context of the current user. The issue was reported by Adobe (advisory APSB26-83), requires user interaction, and carries a CVSS 3.1 base score of 7.9 with a changed scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious Animate file plus rogue library
Delivery
Deliver file to victim via email or download
Exploit
Victim opens file in Animate 2023/2024
Execution
Application loads library from untrusted search path
Impact
Execute arbitrary code as current user

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open an attacker-supplied malicious file in Adobe Animate 2023 or 2024, and - because this is an untrusted search path flaw - for the attacker to place a malicious library where Animate's resolver will find it (typically the same directory as the opened file or another writable location on the search path). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N (7.9, High) describes a local, low-complexity attack that requires the victim to open a malicious file, so this is a client-side/social-engineering-driven vulnerability rather than a remotely reachable service flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious Adobe Animate project file bundled with a rogue library file and delivers it to a victim via email or a download. When the victim opens the project in a vulnerable Animate 2023/2024 install, the application loads the attacker's library from the untrusted search path and runs arbitrary code as that user. …
Remediation Apply the Adobe-provided update for Animate 2023 and 2024 as described in advisory APSB26-83 (https://helpx.adobe.com/security/products/animate/apsb26-83.html); the exact patched version string is published there and was not included in this intelligence set, so pull it from the advisory rather than assuming a build number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, issue security guidance to all Animate users restricting file opening to validated internal sources only and disabling external file imports where feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy