ADOBE’S latest Patch Tuesday fixes 55 vulnerabilities across 11 products, with nearly all advisories carrying a priority of 3, meaning they are not expected to be exploited in attacks. However, five critical ColdFusion vulnerabilities have a priority of 1, underscoring the product’s history of targeted exploitation, and the flaws can be exploited to bypass security features, read files from the system, and execute arbitrary code.
Critical code execution vulnerabilities were also patched in Acrobat Reader, InDesign, InCopy, FrameMaker, Connect, Bridge, Photoshop, and Illustrator. In addition, important-severity issues—including ones allowing code execution, DoS attacks, and privilege escalation—were fixed in Experience Manager Screens and the DNG SDK, according to CISA’s warning that it is aware of exploits for an old Acrobat and Reader vulnerability CVE-2020-9715.
A separate noted item references CVE-2026-34621, an Acrobat and Reader zero-day that appears to have been exploited for several months. Written by Eduard Kovacs, the piece was published on 14 April 2026.