Zero-Day Security Alert — April 13, 2026: Adobe Acrobat Reader Prototype Pollution Actively Exploited

CVE-2026-34621: Adobe Acrobat Reader prototype pollution flaw enables arbitrary code execution and is actively exploited in the wild. CVSS 8.6. Patch immediately to versions beyond 24.001.30356 and 26.001.21367.

Daily Security Briefing

April 13, 2026

CVE-2026-34621 | CVSS 8.6 | HIGH Severity | Actively Exploited in the Wild

Affected Product

Adobe Acrobat and Adobe Reader — versions 24.001.30356 and 26.001.21367 and earlier on Windows and macOS.

Description

A prototype pollution vulnerability (CWE-1321) in Adobe Acrobat Reader allows arbitrary code execution in the context of the current user. The flaw stems from improperly controlled modification of object prototype attributes, enabling attackers to manipulate JavaScript object inheritance and inject malicious code. CISA has added this CVE to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

Attack Vector

Local attack vector requiring user interaction. The victim must open a malicious PDF file crafted by the attacker. Common delivery methods include phishing emails with PDF attachments, malicious downloads from compromised websites, and drive-by attacks. Once opened, the embedded payload executes with the privileges of the current user.

Remediation

Update Adobe Acrobat and Adobe Reader to versions newer than 24.001.30356 and 26.001.21367 immediately per Adobe security advisory APSB26-43. Organizations using managed Adobe deployments should push updates via their endpoint management tools without delay. Users should be cautioned against opening PDF attachments from untrusted sources until patches are deployed. Federal agencies are bound by CISA BOD 22-01 to remediate by April 27, 2026.

CISA Remediation Due Date: April 27, 2026

This report is generated automatically from NVD and CISA KEV data.