Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621

Summary

Adobe released emergency updates to fix CVE-2026-34621, a critical prototype pollution vulnerability in Acrobat Reader with a CVSS score of 8.6 that enables arbitrary code execution. The flaw has been under active exploitation since at least December 2025, with attackers leveraging specially crafted PDF documents to run malicious JavaScript. Patched versions include Acrobat DC 26.001.21411 and Acrobat 2024 24.001.30362/30360.

Full text

Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Ravie LakshmananApr 12, 2026Vulnerability / Endpoint Security Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. It has been described as a case of prototype pollution that could result in arbitrary code execution. Prototype pollution refers to a JavaScript security vulnerability that permits an attacker to manipulate an application'sobjects and properties. The issue impacts the following products and versions for both Windows and macOS - Acrobat DC versions 26.001.21367 and earlier (Fixed in 26.001.21411) Acrobat Reader DC versions 26.001.21367 and earlier (Fixed in 26.001.21411) Acrobat 2024 versions 24.001.30356 and earlier (Fixed in 24.001.30362 for Windows and 24.001.30360 for macOS) Adobe acknowledged that it's "aware of CVE-2026-34621 being exploited in the wild." The development comes days after security researcher and EXPMON founder Haifei Li disclosed details of zero-day exploitation of the flaw to run malicious JavaScript code when opening specially crafted PDF documents through Adobe Reader. There is evidence suggesting that the vulnerability may have been under exploitation since December 2025. "It appears that Adobe has determined the bug can lead to arbitrary code execution — not just an information leak," EXPMON said in a post on X. "This aligns with our findings and those of other security researchers over the last few days." (The story was updated after publication to reflect the change in CVSS score from 9.6 to 8.6. In a revision to its advisory on April 12, 2026, Adobe said it adjusted the attack vector from Network (AV:N) to Local (AV:L).) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Adobe, Application Security, cybersecurity, data protection, endpoint security, Malware, Threat Intelligence, Vulnerability, zero day Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• cve — CVE-2026-34621

Entities