CVE-2026-34621: CVE-2026-34621: Prototype Pollution to Arbitrary Code Execution in Adobe Acrobat EScript Engine

CVE-2026-34621: Prototype Pollution to Arbitrary Code Execution in Adobe Acrobat EScript Engine

Vulnerability ID: CVE-2026-34621
CVSS Score: 8.6
Published: 2026-04-11

CVE-2026-34621 is a critical Prototype Pollution vulnerability in the Adobe Acrobat and Reader EScript engine. The flaw allows attackers to bypass JavaScript trust boundaries and execute arbitrary code or read sensitive local files. Attackers have actively exploited this vulnerability in targeted campaigns since December 2025.

TL;DR

A zero-day Prototype Pollution vulnerability in Adobe Acrobat's EScript engine allows unauthenticated attackers to bypass trust boundaries, read local files, and execute arbitrary code upon opening a malicious PDF. The vulnerability has seen active in-the-wild exploitation.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• CWE: CWE-1321
• Attack Vector: Local (User Interaction Required)
• CVSS Score: 8.6 (High)
• EPSS Percentile: 90.77%
• Impact: Arbitrary Code Execution / Local File Disclosure
• Exploit Status: Active / Weaponized
• CISA KEV: Listed (April 13, 2026)

Affected Systems

• Adobe Acrobat DC (Continuous)
• Adobe Acrobat Reader DC (Continuous)
• Adobe Acrobat (Classic 2024)
• Adobe Acrobat Reader (Classic 2024)
• Acrobat DC (Continuous): <= 26.001.21367 (Fixed in: 26.001.21411)
• Acrobat Reader DC (Continuous): <= 26.001.21367 (Fixed in: 26.001.21411)
• Acrobat (Classic 2024): <= 24.001.30356 (Fixed in: 24.001.30362)
• Acrobat Reader (Classic 2024): <= 24.001.30356 (Fixed in: 24.001.30362)

Exploit Details

• GitHub: Proof of Concept repository for CVE-2026-34621

Mitigation Strategies

• Deploy Adobe Security Update APSB26-43 to all affected endpoints.
• Disable JavaScript execution within Acrobat/Reader preferences.
• Enforce JavaScript disablement via Windows Registry/GPO.
• Deploy EDR rules to monitor Acrobat.exe for unusual file access patterns.

Remediation Steps:

1. Identify all hosts running Adobe Acrobat or Reader versions prior to the fixed releases.
2. Push updates via enterprise patch management tools to version 26.001.21411 (Continuous) or 24.001.30362 (Classic).
3. For systems that cannot be patched immediately, deploy the registry mitigation: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\JSPrefs -> bEnableJS = 0.
4. Verify mitigation application by attempting to execute a benign JavaScript payload in a test PDF.
5. Monitor SIEM logs for outbound network connections from Acrobat binaries to unrecognized IP addresses.

References

• Adobe Security Bulletin APSB26-43
• CISA KEV Catalog: CVE-2026-34621
• Technical Analysis by Kaya Ercihan
• PoC Repository
• SecurityWeek: Adobe Patches Reader Zero-Day Exploited for Months

---

Read the full report for CVE-2026-34621 on our website for more details including interactive diagrams and full exploit analysis.