ON 13 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑34621, known as the Adobe Acrobat and Reader Prototype Pollution Vulnerability, to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Adobe Acrobat and Reader and permits arbitrary code execution.
CVE‑2026‑34621 is a prototype pollution vulnerability in the JavaScript handling of Acrobat and Reader. By polluting object prototypes, an attacker can manipulate the application's internal state and achieve arbitrary code execution when a victim opens a malicious PDF or interacts with compromised web content. Exploitation does not require user interaction beyond opening the crafted file, and the vulnerability can be triggered through both desktop and web‑based versions of the products.
The vulnerability has been assigned a CVSS v3.1 score of 8.6, rating it as HIGH severity. Adobe has released a security update that addresses the issue.
Because the entry appears in the KEV catalogue, CISA confirms that CVE‑2026‑34621 is being actively exploited in the wild. No public reports link this vulnerability to ransomware campaigns at this time. Federal agencies must remediate the flaw by the CISA‑set deadline of 27 April 2026.
CISA directs Federal Civilian Executive Branch (FCEB) agencies to apply mitigations per Adobe’s instructions, follow applicable Binding Operational Directive 22‑01 guidance for cloud services, or discontinue use of Acrobat and Reader if mitigations cannot be applied. While the mandate binds FCEB organisations, all other entities should review their exposure to the affected products and implement the recommended mitigations promptly.
For full technical details, refer to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-34621 and the CISA KEV catalogue.